verification of a timed multitask system with uppaal case study
DESCRIPTION
Verification of a timed multitask system with Uppaal case study. ETFA 2005 Beatrice Berard, Houda Bel mokadem, Vincent Gourcuff , Jean-Marc Roussel, Olivier De Smet LURPA - EA 1385 - ENS de Cachan LSV - CNRS UMR 8643 - ENS de Cachan LAMSADE - CNRS UMR 7024 & Université Paris-Dauphine. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/1.jpg)
LSV
Verification of a timed multitask system with Uppaal
case study
ETFA 2005
Beatrice Berard, Houda Bel mokadem,Vincent Gourcuff, Jean-Marc Roussel, Olivier De Smet
LURPA - EA 1385 - ENS de CachanLSV - CNRS UMR 8643 - ENS de Cachan
LAMSADE - CNRS UMR 7024 & Université Paris-Dauphine
![Page 2: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/2.jpg)
ETFA 2005 22/09/05 2LSV
Outline
Context Programmable Logic Controllers (PLC)Multitask behaviour
Case studyModelling with Uppaal
IdeaOverview of the modelControl programOperative part
VerificationPropertyResults
Conclusion
![Page 3: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/3.jpg)
Context
ETFA 2005 22/09/05 3LSV
Safe control of production systems
Strong interaction Control/Process• large number of inputs and outputs
Strong temporal requirements• reactivity in relation to the process• taking physical times into account
Control made by • Programmable Logical Controller
programmed in IEC 61131-3 standard languages:SFC, Ladder Diagram,… +TON blocks
• Cyclic behaviour with Multitask possibility
PLC
Control
MSS Bosh didactic system(82 inputs / 50 outputs)
Process
![Page 4: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/4.jpg)
Context
ETFA 2005 22/09/05 4LSV
The multi-task behaviourMono-task
INPUT
PROGRAM
OUTPUT
Cyclic behaviour:
Response Time (RT) depend of Time Cycle (TC)
TC ≤ RT ≤ 2 TC
Standard approachMaterial dependant
React to a specific event:
Response Time (RT) depend of the event-driven task
RT?
Better RT with same materialMore complex program
Multi-task
MAIN TASK I P O P O
EVENT-DRIVEN TASK
I P O
I I P O
t
t
CPU activity Event
![Page 5: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/5.jpg)
Case study
ETFA 2005 22/09/05 5LSV
MSS Bosh didactic system
Constrain: the conveyor must stop in a small range.
=> Strong timed requirements:Time variation for physical stop of the conveyor must be less than 5 ms
Is multitask a solution? => Formal verification
![Page 6: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/6.jpg)
Modelling with UPPAAL
ETFA 2005 22/09/05 6LSV
Property True or False
Verification by Model – Checking
Model-checker (UPPAAL) [LP97]
Formalization
AG(APBAF ~horn)
AG(~d1AF ~lig)
temporal Logic(LTL, CTL, …)
observer +
Main problem
PropertySatisfy
⊨
control
Formalization
Timed Automaton
Modelled
Timed Automaton
Synchronisedwith
![Page 7: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/7.jpg)
Modelling with UPPAAL
ETFA 2005 22/09/05 7LSV
Overview of the model
Synchronous non-deterministic processes13 timed automata
PLC Operative part
Main task
Event-driven task
Component 1
Component 2
Component 3
Binary synchronization with messages
Output messages
Input variables
Activation messages
Communication through shared
variables
![Page 8: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/8.jpg)
Modelling with UPPAAL
ETFA 2005 22/09/05 8LSV
Overview of the model
Synchronous non-deterministic processes13 timed automata
Stop! Stop?
Pos_test ==1 Pos_test:=1
Stop!message
shared variable
PLC Operative part
![Page 9: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/9.jpg)
Modelling with UPPAAL
ETFA 2005 22/09/05 9LSV
Model of control program
The atomicity hypothesis:Each one of the 4 steps of the main program executes
instantaneously.The time can elapse only in 4 states.
Based on Mader – Wupper approach [MW99]
CC C C
CCCC
C
Input scan Evolution condition Step activation
Computation of outputsOutput activation X ≥ TCmin
X := 0
X ≤ TCmax X ≤ TCmax
X ≤ TCmax
X ≤ TCmax
IdleEvolution condition Step activation
Computation of outputsOutput activation
![Page 10: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/10.jpg)
Modelling with UPPAAL
ETFA 2005 22/09/05 10LSV
Model of timerMader – Wupper model: 3 channels for each timerOur model : one broadcast channel for all the timers
![Page 11: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/11.jpg)
Modelling with UPPAAL
ETFA 2005 22/09/05 11LSV
Operative partconveyor
Loading position
Capacitive sensor position
Steel-bearing test position
Optical sensor position
Inductive sensor position
Right position
![Page 12: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/12.jpg)
Verification
ETFA 2005 22/09/05 12LSV
Property
Property P to check: the conveyor stops in less than 5ms at the steel-bearing test point
In CTL or LTL: difficult to write=> Add an external observer to measure elapsed time
=> Express the negation of P:E<> observer.stop and Xobs > 5
![Page 13: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/13.jpg)
Verification
ETFA 2005 22/09/05 13LSV
Results
name property Verified Computation time
Memory used
C1
C2
C3
Multitask
E<> obs.stop and Xobs > 5
E<> obs.stop and Xobs <= 5
E<> obs.stop and Xobs > 10
Yes
Yes
No
15 s
15 s
22 s
30 Mo
30 Mo
61 Mo
C5
C6
C7
Monotask
E<> obs.stop and Xobs > 10
E<> obs.stop and Xobs <= 10
E<> obs.stop and Xobs > 20
Yes
No
No
16 s
22 s
22 s
30 Mo
70 Mo
69 Mo
C5'
Monotask withMader-Wupper model
E<> obs.stop and Xobs > 5 - > 29h > 1Go
![Page 14: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/14.jpg)
Verification
ETFA 2005 22/09/05 14LSV
Conclusion on this case study
E<> obs.stop and Xobs > 5 : YesSo the conveyor may stop in more the 5 ms.
This configuration of multitask is not sufficient to assume the property.
![Page 15: Verification of a timed multitask system with Uppaal case study](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813211550346895d986962/html5/thumbnails/15.jpg)
Conclusion
ETFA 2005 22/09/05 15LSV
Conclusion and perspectives
Achievements• Method to represent time dependant system : control + process
• Improvement in modelling control program
- Easier modelling of TON
- Less time and memory cost in verification
• Real case application in Ladder Diagram
Future works• Automated modelling of control program
• Timed property library
• Function bloc
• Other IEC 61131-3 languages
• …