LSV
Verification of a timed multitask system with Uppaal
case study
ETFA 2005
Beatrice Berard, Houda Bel mokadem,Vincent Gourcuff, Jean-Marc Roussel, Olivier De Smet
LURPA - EA 1385 - ENS de CachanLSV - CNRS UMR 8643 - ENS de Cachan
LAMSADE - CNRS UMR 7024 & Université Paris-Dauphine
ETFA 2005 22/09/05 2LSV
Outline
Context Programmable Logic Controllers (PLC)Multitask behaviour
Case studyModelling with Uppaal
IdeaOverview of the modelControl programOperative part
VerificationPropertyResults
Conclusion
Context
ETFA 2005 22/09/05 3LSV
Safe control of production systems
Strong interaction Control/Process• large number of inputs and outputs
Strong temporal requirements• reactivity in relation to the process• taking physical times into account
Control made by • Programmable Logical Controller
programmed in IEC 61131-3 standard languages:SFC, Ladder Diagram,… +TON blocks
• Cyclic behaviour with Multitask possibility
PLC
Control
MSS Bosh didactic system(82 inputs / 50 outputs)
Process
Context
ETFA 2005 22/09/05 4LSV
The multi-task behaviourMono-task
INPUT
PROGRAM
OUTPUT
Cyclic behaviour:
Response Time (RT) depend of Time Cycle (TC)
TC ≤ RT ≤ 2 TC
Standard approachMaterial dependant
React to a specific event:
Response Time (RT) depend of the event-driven task
RT?
Better RT with same materialMore complex program
Multi-task
MAIN TASK I P O P O
EVENT-DRIVEN TASK
I P O
I I P O
t
t
CPU activity Event
Case study
ETFA 2005 22/09/05 5LSV
MSS Bosh didactic system
Constrain: the conveyor must stop in a small range.
=> Strong timed requirements:Time variation for physical stop of the conveyor must be less than 5 ms
Is multitask a solution? => Formal verification
Modelling with UPPAAL
ETFA 2005 22/09/05 6LSV
Property True or False
Verification by Model – Checking
Model-checker (UPPAAL) [LP97]
Formalization
AG(APBAF ~horn)
AG(~d1AF ~lig)
temporal Logic(LTL, CTL, …)
observer +
Main problem
PropertySatisfy
⊨
control
Formalization
Timed Automaton
Modelled
Timed Automaton
Synchronisedwith
Modelling with UPPAAL
ETFA 2005 22/09/05 7LSV
Overview of the model
Synchronous non-deterministic processes13 timed automata
PLC Operative part
Main task
Event-driven task
Component 1
Component 2
Component 3
Binary synchronization with messages
Output messages
Input variables
Activation messages
Communication through shared
variables
Modelling with UPPAAL
ETFA 2005 22/09/05 8LSV
Overview of the model
Synchronous non-deterministic processes13 timed automata
Stop! Stop?
Pos_test ==1 Pos_test:=1
Stop!message
shared variable
PLC Operative part
Modelling with UPPAAL
ETFA 2005 22/09/05 9LSV
Model of control program
The atomicity hypothesis:Each one of the 4 steps of the main program executes
instantaneously.The time can elapse only in 4 states.
Based on Mader – Wupper approach [MW99]
CC C C
CCCC
C
Input scan Evolution condition Step activation
Computation of outputsOutput activation X ≥ TCmin
X := 0
X ≤ TCmax X ≤ TCmax
X ≤ TCmax
X ≤ TCmax
IdleEvolution condition Step activation
Computation of outputsOutput activation
Modelling with UPPAAL
ETFA 2005 22/09/05 10LSV
Model of timerMader – Wupper model: 3 channels for each timerOur model : one broadcast channel for all the timers
Modelling with UPPAAL
ETFA 2005 22/09/05 11LSV
Operative partconveyor
Loading position
Capacitive sensor position
Steel-bearing test position
Optical sensor position
Inductive sensor position
Right position
Verification
ETFA 2005 22/09/05 12LSV
Property
Property P to check: the conveyor stops in less than 5ms at the steel-bearing test point
In CTL or LTL: difficult to write=> Add an external observer to measure elapsed time
=> Express the negation of P:E<> observer.stop and Xobs > 5
Verification
ETFA 2005 22/09/05 13LSV
Results
name property Verified Computation time
Memory used
C1
C2
C3
Multitask
E<> obs.stop and Xobs > 5
E<> obs.stop and Xobs <= 5
E<> obs.stop and Xobs > 10
Yes
Yes
No
15 s
15 s
22 s
30 Mo
30 Mo
61 Mo
C5
C6
C7
Monotask
E<> obs.stop and Xobs > 10
E<> obs.stop and Xobs <= 10
E<> obs.stop and Xobs > 20
Yes
No
No
16 s
22 s
22 s
30 Mo
70 Mo
69 Mo
C5'
Monotask withMader-Wupper model
E<> obs.stop and Xobs > 5 - > 29h > 1Go
Verification
ETFA 2005 22/09/05 14LSV
Conclusion on this case study
E<> obs.stop and Xobs > 5 : YesSo the conveyor may stop in more the 5 ms.
This configuration of multitask is not sufficient to assume the property.
Conclusion
ETFA 2005 22/09/05 15LSV
Conclusion and perspectives
Achievements• Method to represent time dependant system : control + process
• Improvement in modelling control program
- Easier modelling of TON
- Less time and memory cost in verification
• Real case application in Ladder Diagram
Future works• Automated modelling of control program
• Timed property library
• Function bloc
• Other IEC 61131-3 languages
• …
Top Related