Formal Specification and Verification for Automated Production Systems

Complex industrial control software often drives safety- and mission-critical systems, like automated production plants or control units embedded into devices in automotive systems. Such controllers have in common that they are reactive systems, i.e., that they periodically read sensor stimuli and cyclically execute the same program to produce actuator signals. The correctness of software for automated production is rarely verified using formal techniques. Although, due to the Industrial Revolution 4.0 (IR4.0), the impact and importance of software have become an important role in industrial automation. What is used instead in industrial practice today is testing and simulation, where individual test cases are used to validate an automated production system. Three reasons why formal methods are not popular are: (a) It is difficult to adequately formulate the desired temporal properties. (b) There is a lack of specification languages for reactive systems that are both sufficiently expressive and comprehensible for practitioners. (c) Due to the lack of an environment model the obtained results are imprecise. Nonetheless, formal methods for automated production systems are well studied academically---mainly on the verification of safety properties via model checking. In this doctoral thesis we present the concept of (1) generalized test tables (GTTs), a new specification language for functional properties, and their extension (2) relational test tables (RTTs) for relational properties. The concept includes the syntactical notion, designed for the intuition of engineers, and the semantics, which are based on game theory. We use RTTs for a novel confidential property on reactive systems, the provably forgetting of information. Moreover, for regression verification, an important relational property, we are able to achieve performance improvements by (3) creating a decomposing rule which splits large proofs into small sub-task. We implemented the verification procedures and evaluated them against realistic case studies, e.g., the Pick-and-Place-Unit from the Technical University of Munich. The presented contribution follows the idea of lowering the obstacle of verifying the dependability of reactive systems in general, and automated production systems in particular for the engineer either by introducing a new specification language (GTTs), by exploiting existing programs for the specification (RTTs, regression verification), or by improving the verification performance

Modellierung und experimentelle Untersuchungen zum Oxyfuel-Prozess an einer 50 kW Staubfeuerungs-Versuchsanlage

Die Herleitung des Unterschieds zwischen globaler und lokaler Stöchiometriezahl für den Oxyfuel-Prozess hat gezeigt, dass gleiche lokale Stöchiometriezahlen bei variierendem Rezirkulationsanteil unterschiedliche globale Stöchiometriezahlen zur Folge haben. In dieser Arbeit wird vorgeschlagen, die Bezeichnung der Zustandspunkte im Oxyfuel-Prozess mit den Sauerstoffkonzentrationen am Brennkammereintritt bzw. -austritt zu verbinden. Für den Sauerstoffanteil am Brennkammereintritt (z.B. 30 vol.-%) und den Restsauerstoff am Brennkammerende (z.B. 4 vol.-%) folgt zum Bespiel die Bezeichnung Oxyfuel 30 mit 4 % Restsauerstoff. Diese Bezeichnung ist eindeutig und kann das Lambda – als Beschreibung der Stöchiometrie im konventionellen Betrieb – ablösen. Für eine Vielzahl an Punkten sind Verbrennungsversuche mit Trockenbraunkohle und Sauerstoff durchgeführt worden. Ein stabiler Betrieb der Versuchsanlage der TU Dresden wurde zwischen Oxyfuel 17 und Oxyfuel 33 erreicht. Die Untersuchungen haben nachgewiesen, dass die Rezirkulation des feuchten Abgases für die Verbrennung unkritisch ist. Die Schwefeldioxid-Emissionen sind abhängig von den variierenden Reaktionstemperaturen im Kennfeld, dem Restsauerstoff am Brennkammerende und der Rezirkulation des Abgases. Mit der Belagssondenmessung von Aschepartikeln im Abgasstrom wurde gezeigt, dass auch andere Komponenten (z.B. Chlor) im Oxyfuel-Prozess aufkonzentriert werden. Diese erhöhten Konzentrationen werden zu neuen Anforderungen in der Werkstoffauswahl führen. Für das Einschwingverhalten der Abgaszusammensetzung beim Umschalten von konventioneller Verbrennung zu Oxyfuel-Prozess-Fahrweise hat sich gezeigt, dass für diese Staubfeuerungs-Versuchsanlage ein einfaches Rührkesselmodell geeignet ist

A hyperelastic model for simulating cells in flow

In the emerging field of 3D bioprinting, cell damage due to large deformations is considered a main cause for cell death and loss of functionality inside the printed construct. Those deformations, in turn, strongly depend on the mechano-elastic response of the cell to the hydrodynamic stresses experienced during printing. In this work, we present a numerical model to simulate the deformation of biological cells in arbitrary three-dimensional flows. We consider cells as an elastic continuum according to the hyperelastic Mooney-Rivlin model. We then employ force calculations on a tetrahedralized volume mesh. To calibrate our model, we perform a series of FluidFM(R) compression experiments with REF52 cells demonstrating that all three parameters of the Mooney-Rivlin model are required for a good description of the experimental data at very large deformations up to 80%. In addition, we validate the model by comparing to previous AFM experiments on bovine endothelial cells and artificial hydrogel particles. To investigate cell deformation in flow, we incorporate our model into Lattice Boltzmann simulations via an Immersed-Boundary algorithm. In linear shear flows, our model shows excellent agreement with analytical calculations and previous simulation data.Comment: 15 pages, 9 figures, Supplementary information included. Unfortunately, the journal version misses an important contributor. The correct author list is the one given in this document. Biomech Model Mechanobiol (2020

Intraoperative dynamics of workflow disruptions and surgeons' technical performance failures: insights from a simulated operating room

INTRODUCTION Flow disruptions (FD) in the operating room (OR) have been found to adversely affect the levels of stress and cognitive workload of the surgical team. It has been concluded that frequent disruptions also lead to impaired technical performance and subsequently pose a risk to patient safety. However, respective studies are scarce. We therefore aimed to determine if surgical performance failures increase after disruptive events during a complete surgical intervention. METHODS We set up a mixed-reality-based OR simulation study within a full-team scenario. Eleven orthopaedic surgeons performed a vertebroplasty procedure from incision to closure. Simulations were audio- and videotaped and key surgical instrument movements were automatically tracked to determine performance failures, i.e. injury of critical tissue. Flow disruptions were identified through retrospective video observation and evaluated according to duration, severity, source, and initiation. We applied a multilevel binary logistic regression model to determine the relationship between FDs and technical performance failures. For this purpose, we compared FDs in one-minute intervals before performance failures with intervals without subsequent performance failures. RESULTS Average simulation duration was 30:02~min (SD = 10:48~min). In 11 simulated cases, 114 flow disruption events were observed with a mean hourly rate of 20.4 (SD = 5.6) and substantial variation across FD sources. Overall, 53 performance failures were recorded. We observed no relationship between FDs and likelihood of immediate performance failures: Adjusted odds ratio = 1.03 (95% CI 0.46-2.30). Likewise, no evidence could be found for different source types of FDs. CONCLUSION Our study advances previous methodological approaches through the utilisation of a mixed-reality simulation environment, automated surgical performance assessments, and expert-rated observations of FD events. Our data do not support the common assumption that FDs adversely affect technical performance. Yet, future studies should focus on the determining factors, mechanisms, and dynamics underlying our findings

Suitability of soil carbon certificates for climate change mitigation

There is growing awareness of the role that agricultural soils can play for climate change mitigation. Agricultural management that increases soil organic carbon (SOC) stocks constitutes a nature-based solution for carbon dioxide removal. As soils store about twice the amount of carbon found in the atmosphere, even small relative increases could significantly reduce global warming. However, increasing SOC requires management changes that come with costs to the farmers. In this regard, soil carbon certificates could provide a much-needed financial incentive: Farmers register their fields with commercial providers who certify any SOC increase achieved during a set period of time. The certificates are then sold on the voluntary carbon-offset market. We analysed the suitability of soil carbon certificates for climate change mitigation from the perspectives of soil sciences, agricultural management, and governance. In particular, we addressed questions of quantification, additionality, permanence, changes in emissions, leakage effects, transparency, legitimacy and accountability, as well as synergies and trade-offs with other societal targets. Soil properties and the mechanisms by which carbon is stored in soils have strong implications for the assessment. Soils have a limited storage capacity, and SOC is not sequestered but its SOC stocks are the dynamic result of plant derived inputs and losses mainly in the form of microbial respiration. The higher the SOC stock, the higher the annual carbon inputs that is needed to maintain it. If carbon friendly management is discontinued, elevated SOC levels will therefore revert to their original level. We found that while changes in agricultural management that increase SOC are highly desirable and offer multiple-co benefits with climate change adaptation, soil carbon certificates are unsuitable as a tool. They are unlikely to deliver the climate change mitigation they promise as certificate providers cannot guarantee permanence and additionality of SOC storage over climate relevant time-frames. Where the certified carbon storage is non-permanent or fails to meet criteria of additionality, the use of such certificates to advertise products as “carbon-neutral” may be construed as false advertising

Carbon farming: Are soil carbon certificates a suitable tool for climate change mitigation?

Increasing soil organic carbon (SOC) stocks in agricultural soils removes carbon dioxide from the atmosphere and contributes towards achieving carbon neutrality. For farmers, higher SOC levels have multiple benefits, including increased soil fertility and resilience against drought-related yield losses. However, increasing SOC levels requires agricultural management changes that are associated with costs. Private soil carbon certificates could compensate for these costs. In these schemes, farmers register their fields with commercial certificate providers who certify SOC increases. Certificates are then sold as voluntary emission offsets on the carbon market. In this paper, we assess the suitability of these certificates as an instrument for climate change mitigation. From a soils' perspective, we address processes of SOC enrichment, their potentials and limits, and options for cost-effective measurement and monitoring. From a farmers’ perspective, we assess management options likely to increase SOC, and discuss their synergies and trade-offs with economic, environmental and social targets. From a governance perspective, we address requirements to guarantee additionality and permanence while preventing leakage effects. Furthermore, we address questions of legitimacy and accountability. While increasing SOC is a cornerstone for more sustainable cropping systems, private carbon certificates fall short of expectations for climate change mitigation as permanence of SOC sequestration cannot be guaranteed. Governance challenges include lack of long-term monitoring, problems to ensure additionality, problems to safeguard against leakage effects, and lack of long-term accountability if stored SOC is re-emitted. We conclude that soil-based private carbon certificates are unlikely to deliver the emission offset attributed to them and that their benefit for climate change mitigation is uncertain. Additional research is needed to develop standards for SOC change metrics and monitoring, and to better understand the impact of short term, non-permanent carbon removals on peaks in atmospheric greenhouse gas concentrations and on the probability of exceeding climatic tipping points

Modellierung und experimentelle Untersuchungen zum Oxyfuel-Prozess an einer 50 kW Staubfeuerungs-Versuchsanlage

Die Herleitung des Unterschieds zwischen globaler und lokaler Stöchiometriezahl für den Oxyfuel-Prozess hat gezeigt, dass gleiche lokale Stöchiometriezahlen bei variierendem Rezirkulationsanteil unterschiedliche globale Stöchiometriezahlen zur Folge haben. In dieser Arbeit wird vorgeschlagen, die Bezeichnung der Zustandspunkte im Oxyfuel-Prozess mit den Sauerstoffkonzentrationen am Brennkammereintritt bzw. -austritt zu verbinden. Für den Sauerstoffanteil am Brennkammereintritt (z.B. 30 vol.-%) und den Restsauerstoff am Brennkammerende (z.B. 4 vol.-%) folgt zum Bespiel die Bezeichnung Oxyfuel 30 mit 4 % Restsauerstoff. Diese Bezeichnung ist eindeutig und kann das Lambda – als Beschreibung der Stöchiometrie im konventionellen Betrieb – ablösen. Für eine Vielzahl an Punkten sind Verbrennungsversuche mit Trockenbraunkohle und Sauerstoff durchgeführt worden. Ein stabiler Betrieb der Versuchsanlage der TU Dresden wurde zwischen Oxyfuel 17 und Oxyfuel 33 erreicht. Die Untersuchungen haben nachgewiesen, dass die Rezirkulation des feuchten Abgases für die Verbrennung unkritisch ist. Die Schwefeldioxid-Emissionen sind abhängig von den variierenden Reaktionstemperaturen im Kennfeld, dem Restsauerstoff am Brennkammerende und der Rezirkulation des Abgases. Mit der Belagssondenmessung von Aschepartikeln im Abgasstrom wurde gezeigt, dass auch andere Komponenten (z.B. Chlor) im Oxyfuel-Prozess aufkonzentriert werden. Diese erhöhten Konzentrationen werden zu neuen Anforderungen in der Werkstoffauswahl führen. Für das Einschwingverhalten der Abgaszusammensetzung beim Umschalten von konventioneller Verbrennung zu Oxyfuel-Prozess-Fahrweise hat sich gezeigt, dass für diese Staubfeuerungs-Versuchsanlage ein einfaches Rührkesselmodell geeignet ist

Modellierung und experimentelle Untersuchungen zum Oxyfuel-Prozess an einer 50 kW Staubfeuerungs-Versuchsanlage

Die Herleitung des Unterschieds zwischen globaler und lokaler Stöchiometriezahl für den Oxyfuel-Prozess hat gezeigt, dass gleiche lokale Stöchiometriezahlen bei variierendem Rezirkulationsanteil unterschiedliche globale Stöchiometriezahlen zur Folge haben. In dieser Arbeit wird vorgeschlagen, die Bezeichnung der Zustandspunkte im Oxyfuel-Prozess mit den Sauerstoffkonzentrationen am Brennkammereintritt bzw. -austritt zu verbinden. Für den Sauerstoffanteil am Brennkammereintritt (z.B. 30 vol.-%) und den Restsauerstoff am Brennkammerende (z.B. 4 vol.-%) folgt zum Bespiel die Bezeichnung Oxyfuel 30 mit 4 % Restsauerstoff. Diese Bezeichnung ist eindeutig und kann das Lambda – als Beschreibung der Stöchiometrie im konventionellen Betrieb – ablösen. Für eine Vielzahl an Punkten sind Verbrennungsversuche mit Trockenbraunkohle und Sauerstoff durchgeführt worden. Ein stabiler Betrieb der Versuchsanlage der TU Dresden wurde zwischen Oxyfuel 17 und Oxyfuel 33 erreicht. Die Untersuchungen haben nachgewiesen, dass die Rezirkulation des feuchten Abgases für die Verbrennung unkritisch ist. Die Schwefeldioxid-Emissionen sind abhängig von den variierenden Reaktionstemperaturen im Kennfeld, dem Restsauerstoff am Brennkammerende und der Rezirkulation des Abgases. Mit der Belagssondenmessung von Aschepartikeln im Abgasstrom wurde gezeigt, dass auch andere Komponenten (z.B. Chlor) im Oxyfuel-Prozess aufkonzentriert werden. Diese erhöhten Konzentrationen werden zu neuen Anforderungen in der Werkstoffauswahl führen. Für das Einschwingverhalten der Abgaszusammensetzung beim Umschalten von konventioneller Verbrennung zu Oxyfuel-Prozess-Fahrweise hat sich gezeigt, dass für diese Staubfeuerungs-Versuchsanlage ein einfaches Rührkesselmodell geeignet ist