No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Enabling Automated Timing Verification: A Unified Approach for Industrial Distributed Control Systems
Abstract
In a correct control system, events are never late, nor are they early. They are delivered precisely when the engineer means to. IEC 61499 defines a modeling language for control software of distributed systems. However, timing requirements cannot be specified as part of an application model. As a result, deriving timing specifications for components is a separate and additional manual, i. e., non-automatized, step when designing a correct system. Contract-based design is a widely known approach for correct-by-construction system design. This work presents concepts and tool support for integrating timing specifications into IEC 61499 based on the MULTIC timing specification language. We applied our approach to a demonstration example to illustrate developing IEC 61499 systems following contract-based design. Any specified contracts are stored as part of sub-applications, which are a hierarchical structuring mechanism of IEC 61499. The resulting models can form the input for continuous timing verification of IEC 61499 models.
Nowadays, safety-critical manufacturing processes are often controlled by Industrial Distributed Control Systems (IDCS) employing an event-based execution paradigm. The necessity to react to events as soon as they occur counteracts the predictability of strictly scheduled real-time software and adds to the complexity. This leads to the necessity to ensure real-time behaviour in IDCS for safe and efficient operation despite the event-based approach. Following a correct-by-construction development process, such as contract-based design, allows to provide certificates about the correct system behaviour and to mitigate the costs for design cycle re-iterations. This requires in depth knowledge about the overall system behaviour at design time. However, conventional modelling languages for IDCS often abstract the intricacies of the network communication process away. This abstraction can significantly impact execution behaviour, particularly considering the increasing complexity of network configurations over time. The main contribution of this thesis is the extension to the modelling language IEC 61499 tailored for IDCS to enhance the modelling flow of distributed control systems with focus on guaranteeing the required timing behaviour. This extension aims to model the logical messages transmitted over physical channels. The novel modelling elements, message and channel, serve as the foundation for the correct-by-construction design approach. By explicitly mapping messages to channels, developers can systematically design their industrial distributed control following a component-based refinement resulting in valid mappings that guarantee adherence to timing requirements. Due to typical network complexity, network configuration itself is rather error-prone. Thus, it is a risk to leave this critical step as an independent unit of the development process. Accordingly, this thesis suggests to utilise the additional information provided within the proposed modelling language enhancement to automate the network configuration saving development time, reducing potential errors and, thereby, preserving the timing specification. The evaluation demonstrates that the modelling enhancement supports several IEC 61499 applications, the examined timing properties arising in such scenarios are utilised for validating the proposed configuration flow, and the overall proposed design flow facilitates the application of verification and validation techniques. Moreover, the evaluation examines the limitations of the proposed approach specifically showcasing arising challenges regarding scalability, due
to technological constraints. This becomes an issue considering reconfiguration efforts, which is addressed in the field of scheduling techniques for network communication protocols. Accordingly, the evaluation highlights the applicability of the proposed approaches and points out possible future enhancements. To conclude, this thesis promotes a systematic and certifiable design approach for distributed control systems, enhancing the reliability and efficiency of real-world manufacturing processes.
The IEC standard 61499 defines a generic model for distributed industry control systems. It offers high flexibility through an event-driven model of execution. The downside of such models is that they can be difficult to analyze and debug. The central modeling element of IEC 61499 is the function block (FB), a composable representation of behaviour activated through event ports, with optional data ports. We adopt the concept of contracts for FBs to allow the specification of assumptions and guarantees over data/event traces of their input and output ports. This work proposes an initial concept for integrating time-sensitive behavioural contracts with IEC 61499 FBs. We propose specification patterns and a tool that supports the automatic generation and integrating of contract monitors into IEC 61499 FB models. These monitors observe an FB's input and output values/events and check that assumptions and guarantees hold. We evaluate our proposed concept on a simple pick and place control system that is modeled in 4diac, an open source IEC 61499 framework.
Programmable Logic Controllers (PLCs) are an established platform, widely used throughout industrial automation but rather poorly understood among researchers. This paper gives an overview of the state of the practice, explaining why this settled technology persists throughout industry and presenting a critical analysis of the strengths and weaknesses of the dominant programming styles for today's PLC-based automation systems. We describe the software execution patterns that are standardized loosely in IEC 61131-3 and, where there are ambiguities in the standard, realized in concrete vendor implementations of PLCs. Ultimately, we identify opportunities for improvements that would enable increasingly complex industrial automation applications under the novel technical requirements associated with Industry 4.0 type environments without compromising the safety and reliability guaranteed by the current industrial automation technology stack.
Aircrafts, trains, cars, plants, distributed telecommunication military or health care systems,and more, involve systems design as a critical step. Complexity has caused system design times and coststo go severely over budget so as to threaten the health of entire industrial sectors. Heuristic methods andstandard practices do not seem to scale with complexity so that novel design methods and tools based on astrong theoretical foundation are sorely needed. Model-based design as well as other methodologies suchas layered and compositional design have been used recently but a unified intellectual framework with acomplete design flow supported by formal tools is still lacking.Recently an “orthogonal” approach has been proposed that can be applied to all methodologies introducedthus far to provide a rigorous scaffolding for verification, analysis and abstraction/refinement: contractbaseddesign. Several results have been obtained in this domain but a unified treatment of the topic that canhelp in putting contract-based design in perspective is missing. This paper intends to provide such treatmentwhere contracts are precisely defined and characterized so that they can be used in design methodologiessuch as the ones mentioned above with no ambiguity. In addition, the paper provides an important linkbetween interface and contract theories to show similarities and correspondences.This paper is complemented by a companion paper where contract based design is illustrated throughuse cases.
This is Part II of a sequence of two papers on Contract-based Design (CBD). Part I introduced concepts, presented how CBD addresses the challenges facing designers of large-scale complex systems, placed it in the context of existing design methodologies and showed how it can be used effectively together with any other methodology so far proposed. Part II covers the theoretical foundations that are essential to make CBD robust and well supported by tools and software frameworks. We believe that contract-based design is going to be a key part of the future of system design and for this reason, this contribution is important for the design community.
We elaborate on the theoretical foundation and practical application of the contract-based specification method originally developed in the Integrated Project SPEEDS, for two key use cases in embedded systems design. We demonstrate how formal contract-based component specifications for functional, safety, and real-time aspects of components can be expressed using the pattern-based requirement specification language RSL developed in the Artemis Project CESAR, and develop a formal approach for virtual integration testing of composed systems based on such contract-specifications of subsystems. We then present a methodology for multi-criteria architecture evaluation developed in the German Innovation Alliance SPES on Embedded Systems.
In large software development organizations, increased complexity of products, shortened development cycles, and heightened expectations of quality have created major challenges at all the stages of the software life cycle. As this issue of the IBM Systems Journal illustrates, there are exciting improvements in the technologies of model-driven development (MDD) to meet many of these challenges. Even though the prevalent software-development practices in the industry are still immature, tools that embody MDD technologies are finally being incorporated in large-scale commercial software development. Assuming MDD pervades the industry over the next several years, there is reason to hope for significant improvements in software quality and time to value, but it is far from a foregone conclusion that MDD will succeed where previous software-engineering approaches have failed.
Modern embedded computing systems tend to be heterogeneous in the sense of being composed of subsystems with very different characteristics, which communicate and interact in a variety of ways-synchronous or asynchronous, buffered or unbuffered, etc. Obviously, when designing such systems, a modeling language needs to reflect this heterogeneity. Today's modeling environments usually offer a variant of what we call amorphous heterogeneity to address this problem. This paper argues that modeling systems in this manner leads to unexpected and hard-to-analyze interactions between the communication mechanisms and proposes a more structured approach to heterogeneity, called hierarchical heterogeneity, to solve this problem. It proposes a model structure and semantic framework that support this form of heterogeneity, and discusses the issues arising from heterogeneous component interaction and the desire for component reuse. It introduces the notion of domain polymorphism as a way to address these issues.
Formal model of IEC 61499 syntax and its unambiguous execution semantics are important for adoption of this international standard in industry. This paper proposes some elements of such a model. Elements of IEC 61499 architecture are defined in a formal way following set theory notation. Based on this description, formal semantics of IEC 61499 can be defined. An example is shown in this paper for execution of basic function blocks. The paper also provides a solution for flattening hierarchical function block networks.
Giotto provides an abstract programmer's model for the implementation of embedded control systems with hard real-time constraints. A typical control application consists of periodic software tasks together with a mode-switching logic for enabling and disabling tasks. Giotto specifies time-triggered sensor readings, task invocations, actuator updates, and mode switches independent of any implementation platform. Giotto can be annotated with platform constraints such as task-to-host mappings, and task and communication schedules. The annotations are directives for the Giotto compiler, but they do not alter the functionality and timing of a Giotto program. By separating the platform-independent from the platform-dependent concerns, Giotto enables a great deal of flexibility in choosing control platforms as well as a great deal of automation in the validation and synthesis of control software. The time-triggered nature of Giotto achieves timing predictability, which makes Giotto particularly suitable for safety-critical applications.
The authors describe LUSTRE, a data flow synchronous language
designed for programming reactive systems-such as automatic control and
monitoring systems-as well as for describing hardware. The data flow
aspect of LUSTRE makes it very close to usual description tools in these
domains (block-diagrams, networks of operators, dynamical
sample-systems, etc.), and its synchronous interpretation makes it well
suited for handling time in programs. Moreover, this synchronous
interpretation allows it to be compiled into an efficient sequential
program. The LUSTRE formalism is very similar to temporal logics. This
allows the language to be used for both writing programs and expressing
program properties, which results in an original program verification
methodology
We discuss a novel approach for constructing deterministic reactive systems that revolves around a temporal model that incorporates a multiplicity of timelines. This model is central to Lingua Franca (LF), a polyglot coordination language and compiler toolchain we are developing for the definition and composition of concurrent components called reactors, which are objects that react to and emit discrete events. Our temporal model differs from existing models like the logical execution time (LET) paradigm and synchronous languages in that it reflects that there are always at least two distinct timelines involved in a reactive system; a logical one and a physical one—and possibly multiple of each kind. This paper explains how the relationship between events across timelines facilitates reasoning about consistency and availability across components in Cyber-Physical Systems (CPS).
Designing the software for distributed control systems introduces new challenges regarding handling the communication between devices. The domain-specific modeling language defined in IEC 61499 provides mechanisms to distribute software across devices, but does not provide modeling elements for describing details about the communication between these devices. We provide an extensible proof-of-concept implementation for specifying the communication of an IEC 61499-based system that extends the current system model. Our approach requires only minimal adaptations of the IEC 61499 standard and proposes an extensible concept for modeling various kinds of communication protocols. We integrated the concept into an open-source development environment for IEC 61499. We then evaluated the approach and the tool by configuring time-sensitive networking for a typical control application. Engineers can customize our approach with low effort to support additional paradigms for communication using the provided extension mechanisms.
The IEC 61499 standard offers the possibility to model distributed systems, especially in the domain of industrial automation. Since debugging at design time is becoming more and more important and the verification of the execution at event and function block level is becoming more and more important, this paper presents an approach for model-aware simulation of IEC 61499 models in which traces of the event chain can be viewed after simulation time. For this purpose, the information is extracted from the model and transformed into a SystemC model that enables tracing. This SystemC model can also be augmented with existing tools and methods from the SystemC ecosystem, e.g. in order to perform virtual integration testing in a contract-based design flow.
The Time Sensitive Networking (TSN) standard was introduced to provide deterministic Ethernet-based communication for industrial distributed systems. However, configuration
needs to be done manually and is error prone. Combining TSN with the IEC 61499 modeling standard opens up new opportunities for automatic network configuration. A prerequisite is to have an in depth understanding of the requirements for a TSN/IEC
61499 control system and especially of the communication time behavior. We developed a time measurement concept to analyze the timing effects on three important layers under different traffic configurations. We deployed our IEC 61499 implementation on
two directly connected Intel I210 evaluation boards based on a minimized Linux Operating System to reduce non-deterministic external influences. The results show the expected effect of using a TSN configuration and a particularly positive impact with TSN
transmission windows that are long enough for the IEC 61499 application, especially at the receiving device. The measured delays are shorter for the IEC 61499 application when it is scheduled as time-critical with competing traffic compared to when it runs without a TSN schedule and competing traffic. This is evidence that IEC 61499 performs very well together with a TSN configuration, which opens the door for automatic network configuration in IEC 61499 Ethernet/TSN control applications.
Time-Sensitive Networks (TSN) enhance standard IEEE 802.1Q Ethernet devices with real-time and time-aware capabilities. The forwarding of time-critical frames is done according to a so-called Gate Control List (GCL) schedule via the timed-gate mechanism introduced in IEEE 802.1Qbv. Most TSN scheduling mechanisms impose that all devices in the network must have the TSN capabilities related to scheduled gates and time synchronization. However, this is often an unrealistic assumption since many distributed applications use heterogeneous TSN networks with legacy or off-the-shelf end systems that are unscheduled and/or unsynchronized.
This paper proposes a novel, more flexible TSN scheduling algorithm that intertwines a worst-case delay analysis within the scheduling synthesis step. Through this, we leverage the solution’s optimality to support heterogeneous TSN networks featuring un- scheduled and/or unsynchronized end-systems while still guaranteeing the timeliness of critical communication. We evaluate the performance of our approach using both synthetic and real-world use cases, comparing it with existing TSN scheduling mechanisms. Furthermore, we use OMNET++ to validate the generated GCL schedules.
Based on the highly successful second edition, this extended edition of SystemVerilog for Verification: A Guide to Learning the Testbench Language Features teaches all verification features of the SystemVerilog language, providing hundreds of examples to clearly explain the concepts and basic fundamentals. It contains materials for both the full-time verification engineer and the student learning this valuable skill.
In the third edition, authors Chris Spear and Greg Tumbush start with how to verify a design, and then use that context to demonstrate the language features, including the advantages and disadvantages of different styles, allowing readers to choose between alternatives. This textbook contains end-of-chapter exercises designed to enhance students’ understanding of the material. Other features of this revision include:
• New sections on static variables, print specifiers, and DPI from the 2009 IEEE language standard
• Descriptions of UVM features such as factories, the test registry, and the configuration database
• Expanded code samples and explanations
• Numerous samples that have been tested on the major SystemVerilog simulators
SystemVerilog for Verification: A Guide to Learning the Testbench Language Features, Third Edition is suitable for use in a one-semester SystemVerilog course on SystemVerilog at the undergraduate or graduate level. Many of the improvements to this new edition were compiled through feedback provided from hundreds of readers.
As you verify your design, you need to write a great deal of code, most of which is in tasks and functions. SystemVerilog introduces many incremental improvements to make this easier by making the language look more like C, especially around argument passing. If you have a background in software engineering, these additions should be very familiar.
This book describes a novel approach for the design of embedded systems and industrial automation systems, using a unified model-driven approach that is applicable in both domains. The authors illustrate their methodology, using the IEC 61499 standard as the main vehicle for specification, verification, static timing analysis and automated code synthesis. The well-known synchronous approach is used as the main vehicle for defining an unambiguous semantics that ensures determinism and deadlock freedom. The proposed approach also ensures very efficient implementations either on small-scale embedded devices or on industry-scale programmable automation controllers (PACs). It can be used for both centralized and distributed implementations. Significantly, the proposed approach can be used without the need for any run-time support. This approach, for the first time, blurs the gap between embedded systems and automation systems and can be applied in wide-ranging applications in automotive, robotics, and industrial control systems. Several realistic examples are used to demonstrate for readers how the methodology can enable them to reduce the time-to-market, while improving the design quality and productivity.
Contract-based design is an emerging paradigm for the design of complex systems, where each component is associated with a contract, i.e., a clear description of the expected interaction of the component with its environment. Contracts specify the expected behavior of a component by defining the assumptions that must be satisfied by the environment and the guarantees satisfied by the component in response. The ultimate goal of contract-based design is to allow for compositional reasoning, stepwise refinement, and a principled reuse of components that are already pre-designed, or designed independently.In this paper, we present fully formal contract framework based on temporal logic (a preliminary version of this framework has been presented in [1]). The synchronous or asynchronous decomposition of a component into subcomponents is complemented with the corresponding refinement of its contracts. The framework exploits such decomposition to automatically generate a set of proof obligations. Once verified, the conditions allow concluding the correctness of the architecture. This means that the components ensure the guarantee of the system and the system ensures the assumptions of the components. The framework can be instantiated with different temporal logics. The proof system reduces the correctness of contracts refinement to entailment of temporal logic formulas. The tool support relies on an expressive property specification language, conceived for the formalization of embedded system requirements, and on a verification engine based on automated SMT techniques.
Giotto provides an abstract programmer’s model for the implementation of embedded control systems with hard real-time constraints.
A typical control application consists of periodic software tasks together with a mode switching logic for enabling and disabling
tasks. Giotto specifies time-triggered sensor readings, task invocations, and mode switches independent of any implementation
platform. Giotto can be annotated with platform constraints such as task-to-host mappings, and task and communication schedules.
The annotations are directives for the Giotto compiler, but they do not alter the functionality and timing of a Giotto program.
By separating the platform-independent from the platform-dependent concerns, Giotto enables a great deal of flexibility in
choosing control platforms as well as a great deal of automation in the validation and synthesis of control software. The
time-triggered nature of Giotto achieves timing predictability, which makes Giotto particularly suitable for safety-critical
applications.
Component-based programming frameworks for industrial control logic development promise to shorten development and modification times, and to reduce programming errors. To get these benefits, it is, however, important that the components are specified and verified to work properly. This work introduces Reusable Automation Components (RACs), which contain not only the implementation details but also a formal specification defining the correct use and behaviour of the component. This formal specification uses temporal logic to describe time-related properties and has a special structure developed to meet industrial control needs. The RAC can be formally verified, to determine whether the implementation fulfils the specification or not. A RAC prototype development tool has been developed to demonstrate this capability. The main difference between the RAC and other frameworks for formal verification of control logic is the specification modeling. In RAC, not only the implementation but also the specification is based on the structure and languages of conventional control logic, aiming at being easy to comprehend for control logic engineers. Several industrial examples are discussed in this paper, showing the benefits and potential of the framework.
Time division multiple access (TDMA) is a classic approach to
multiple access in digital cellular wireless communications systems. The
authors summarize a number of frequency and time slot allocation
techniques for enhancing the capacity and flexibility of TDMA-based
systems. They also describe how the problems of fading, delay spread,
time variability and interference affect TDMA systems, and how they may
he countered and even exploited by appropriate techniques of detection,
diversity, coding, adaptive equalization and slow frequency hopping
(FH). It is worth emphasizing that the use of one of these techniques,
slow random FH, results in a system that is in effect a hybrid of TDMA
and code division multiple access (CDMA)
Methodological guidelines for object-oriented software construction that improve the reliability of the resulting software systems are presented. It is shown that the object-oriented techniques rely on the theory of design by contract, which underlies the design of the Eiffel analysis, design, and programming language and of the supporting libraries, from which a number of examples are drawn. The theory of contract design and the role of assertions in that theory are discussed.<
></ETX