LSV

Verification of a timed multitask system with Uppaal

case study

ETFA 2005

Beatrice Berard, Houda Bel mokadem,Vincent Gourcuff, Jean-Marc Roussel, Olivier De Smet

LURPA - EA 1385 - ENS de CachanLSV - CNRS UMR 8643 - ENS de Cachan

LAMSADE - CNRS UMR 7024 & Université Paris-Dauphine

ETFA 2005 22/09/05 2LSV

Outline

Context Programmable Logic Controllers (PLC)Multitask behaviour

Case studyModelling with Uppaal

IdeaOverview of the modelControl programOperative part

VerificationPropertyResults

Conclusion

Context

ETFA 2005 22/09/05 3LSV

Safe control of production systems

Strong interaction Control/Process• large number of inputs and outputs

Strong temporal requirements• reactivity in relation to the process• taking physical times into account

Control made by • Programmable Logical Controller

programmed in IEC 61131-3 standard languages:SFC, Ladder Diagram,… +TON blocks

• Cyclic behaviour with Multitask possibility

PLC

Control

MSS Bosh didactic system(82 inputs / 50 outputs)

Process

Context

ETFA 2005 22/09/05 4LSV

The multi-task behaviourMono-task

INPUT

PROGRAM

OUTPUT

Cyclic behaviour:

Response Time (RT) depend of Time Cycle (TC)

TC ≤ RT ≤ 2 TC

Standard approachMaterial dependant

React to a specific event:

Response Time (RT) depend of the event-driven task

RT?

Better RT with same materialMore complex program

Multi-task

MAIN TASK I P O P O

EVENT-DRIVEN TASK

I P O

I I P O

t

t

CPU activity Event

Case study

ETFA 2005 22/09/05 5LSV

MSS Bosh didactic system

Constrain: the conveyor must stop in a small range.

=> Strong timed requirements:Time variation for physical stop of the conveyor must be less than 5 ms

Is multitask a solution? => Formal verification

Modelling with UPPAAL

ETFA 2005 22/09/05 6LSV

Property True or False

Verification by Model – Checking

Model-checker (UPPAAL) [LP97]

Formalization

AG(APBAF ~horn)

AG(~d1AF ~lig)

temporal Logic(LTL, CTL, …)

observer +

Main problem

PropertySatisfy

⊨

control

Formalization

Timed Automaton

Modelled

Timed Automaton

Synchronisedwith

Modelling with UPPAAL

ETFA 2005 22/09/05 7LSV

Overview of the model

Synchronous non-deterministic processes13 timed automata

PLC Operative part

Main task

Event-driven task

Component 1

Component 2

Component 3

Binary synchronization with messages

Output messages

Input variables

Activation messages

Communication through shared

variables

Modelling with UPPAAL

ETFA 2005 22/09/05 8LSV

Overview of the model

Synchronous non-deterministic processes13 timed automata

Stop! Stop?

Pos_test ==1 Pos_test:=1

Stop!message

shared variable

PLC Operative part

Modelling with UPPAAL

ETFA 2005 22/09/05 9LSV

Model of control program

The atomicity hypothesis:Each one of the 4 steps of the main program executes

instantaneously.The time can elapse only in 4 states.

Based on Mader – Wupper approach [MW99]

CC C C

CCCC

C

Input scan Evolution condition Step activation

Computation of outputsOutput activation X ≥ TCmin

X := 0

X ≤ TCmax X ≤ TCmax

X ≤ TCmax

X ≤ TCmax

IdleEvolution condition Step activation

Computation of outputsOutput activation

Modelling with UPPAAL

ETFA 2005 22/09/05 10LSV

Model of timerMader – Wupper model: 3 channels for each timerOur model : one broadcast channel for all the timers

Modelling with UPPAAL

ETFA 2005 22/09/05 11LSV

Operative partconveyor

Loading position

Capacitive sensor position

Steel-bearing test position

Optical sensor position

Inductive sensor position

Right position

Verification

ETFA 2005 22/09/05 12LSV

Property

Property P to check: the conveyor stops in less than 5ms at the steel-bearing test point

In CTL or LTL: difficult to write=> Add an external observer to measure elapsed time

=> Express the negation of P:E<> observer.stop and Xobs > 5

Verification

ETFA 2005 22/09/05 13LSV

Results

name property Verified Computation time

Memory used

C1

C2

C3

Multitask

E<> obs.stop and Xobs > 5

E<> obs.stop and Xobs <= 5

E<> obs.stop and Xobs > 10

Yes

Yes

No

15 s

15 s

22 s

30 Mo

30 Mo

61 Mo

C5

C6

C7

Monotask

E<> obs.stop and Xobs > 10

E<> obs.stop and Xobs <= 10

E<> obs.stop and Xobs > 20

Yes

No

No

16 s

22 s

22 s

30 Mo

70 Mo

69 Mo

C5'

Monotask withMader-Wupper model

E<> obs.stop and Xobs > 5 - > 29h > 1Go

Verification

ETFA 2005 22/09/05 14LSV

Conclusion on this case study

E<> obs.stop and Xobs > 5 : YesSo the conveyor may stop in more the 5 ms.

This configuration of multitask is not sufficient to assume the property.

Conclusion

ETFA 2005 22/09/05 15LSV

Conclusion and perspectives

Achievements• Method to represent time dependant system : control + process

• Improvement in modelling control program

- Easier modelling of TON

- Less time and memory cost in verification

• Real case application in Ladder Diagram

Future works• Automated modelling of control program

• Timed property library

• Function bloc

• Other IEC 61131-3 languages

• …