Modeling and verification of a class of real-time systems by the use of High Level Petri Nets

Abstract

Homogeneous, shared memory multiprocessors that incorporate real-time operating systems constitute in many corporations the basic platforms for developing applications of plant monitoring and automation. In this work, a template model based on the High Level Petri Net (HLPN) formalism is proposed for this class of computers. Mapping functional and timing requirements of the application software to states of this model and searching for their existence in the reachability tree of the net can verify the satisfaction of these requirements. A state searching algorithm has been developed for the case of a shared memory multiprocessor in which there is a bus-based interconnection network supporting a single communication channel for the exchange of data among the CPUs, the common memory and the computer interfaces. This algorithm groups the infinite number of states of the HLPN to a number of finite regions, identifies the region, which the desired state belongs to, and checks for the existence of a path from the initial state that leads to this region. In order to demonstrate the use of the template in the modeling and verification of timing and functional specifications of a system of the considered class, the implementation of the automation functions of a chemical reactor by a VME-bus based multiprocessor with two CPUs and running under the control of the OS-9 operating system was studied. In this study the template model was used to create a specific for this application HLPN model. The response times of two automation functions were predicted by the use of this model and compared with those derived from the operating characteristics of the reactor.

Introduction

Multiprocessing computer platforms with shared memory architectures are used extensively in industrial automation applications. The software that implements the automation functions is written as a series of separate program tasks that can execute concurrently. Separating main functions into different tasks and planning the way tasks will coordinate are crucial decisions taken during the phase of the basic design of the application software. Designers wish to have a model of the way their design will execute on a specific platform under specific input scenarios, in order to become able to assess the software response time and the satisfaction of critical functions (Clarke and Wing, 1996).

Over the last 20 years several researchers have developed models for various classes of multiprocessor systems with the purpose of studying different aspects of their timing and functional behavior. Different models have been proposed (Kriz, 1983; Marsan et al., 1984; Marsan et al., 1985; Mudge et al., 1985; Marsan et al., 1986; Peng and Shin, 1987; Woodbury and Shin, 1988; Bodnar and Liu, 1989; Hassapis, 1993; Jrjung et al., 1998) for assessing the adequacy of the computing power, the throughput, service rate and other similar performance indices of various single bus and multiple bus architectures under certain workload conditions. Other models (Zuberek, 1985; Zuberek, 1987; Zuberek et al., 1998; Lindemann, 1998; Koriem, 1999) have been proposed for assessing the probability of meeting task deadlines in distributed and bus-based multiprocessor architectures when various task allocation schemes to different processing elements are used. There are also models addressing the evaluation of a single aspect of the multiprocessing environment such as the CPU scheduling policy (Economides and Duboi, 1990) or the assignment of priorities to tasks (Ramani et al., 1992). The majority of these models are probabilistic, based mainly on Markov processes, queuing networks and stochastic Petri nets. In order to cope with the state explosion during model analysis and when the numbers of the processing elements and the application program tasks become large, these models view the running of the application programs in a very abstract way in which only the number of the processing elements and the task assignment to these elements are considered. The combined influence of the CPU scheduling, the task communication and synchronization policy and the algorithm that resolves the communication medium contention is expressed in an overall statistical distribution either of the task execution time or the task service time and the like. It is not feasible with the just referenced models to predict deterministic figures for program response time, functional behavior to various modes of the controlled process operation and specific input scenarios. However, in the case of industrial automation, applications can be decomposed to relatively small independent groups of interacting tasks that can run on computer platforms with a small number of processing elements. Therefore, it might be possible to form models that include the combined influence of the above-mentioned factors without facing an unmanageable state explosion during model analysis.

In this work the development of a model, based on the abstraction of the High Level Petri Net (HLPN) (Genrich, 1987; Morasca et al., 1991), is proposed. The model tries to describe the way the application software is executed on the computer platform over the time. The paper is organized in eight sections. In Section 2 an overview of the shared memory distributed multiprocessing architecture is given and the way application software can run on such a computer platform under a real-time operating system is described. In Section 3 an informal presentation of the HLPN formalism as a subclass of the parameterized abstract Petri nets is provided and how this formalism can be used to model the software execution on the considered computer platform is outlined. In Section 4 a descriptive and graphical presentation of the developed HLPN model is given and the data structure of the tokens is formally presented. Section 5 refers to an algorithm that finds whether a state of the net is reachable from an initial one. 6 Modeling an application example, 7 Model analysis deal with the modeling and analysis of the software designed for the automation of a chemical reactor. By using the developed Petri net model and the algorithm of Section 5 a prediction of the completion times of critical control functions is made by relating the execution of these functions with specific states of the net. These figures are compared with those obtained from the operating characteristics of the reactor and an assessment of the accuracy of the model predictive abilities is made. The conclusions drawn from this work are presented in Section 8.