

| MARCH / APRIL 1999 | VOLUME 11 | NUMBER 2 | ITKEEH | (ISSN 1041-4347) |
|--------------------|-----------|----------|--------|------------------|
|                    |           |          |        |                  |

#### **REGULAR PAPERS**

| Dynamic Programming in Datalog with Aggregates<br>S. Greco                                                                        | 265 |
|-----------------------------------------------------------------------------------------------------------------------------------|-----|
| Techniques for Increasing the Stream Capacity of A High-Performance Multimedia Server<br>D. Jadav, A.N. Choudhary, and P.B. Berra | 284 |
| Resource Scheduling In A High-Performance Multimedia Server<br>H.H. Pang, B. Jose, and M.S. Krishnan                              | 303 |
| Join Index Hierarchy: An Indexing Structure for Efficient Navigation in Object-Oriented Databases<br>J. Han, Z. Xie, and Y. Fu    | 321 |
| A Hybrid Estimator for Selectivity Estimation<br>Y. Ling, W. Sun, N.D. Rishe, and X. Xiang                                        | 338 |

#### CORRESPONDENCE

| Proof of the Correctness of EMYCIN Sequential Propagation Under Conditional Independence Assumptions<br>X. Luo and C. Zhang | 355 |
|-----------------------------------------------------------------------------------------------------------------------------|-----|
|                                                                                                                             |     |

1

1998 TKDE Reviewers List .....

Dr. Naphtali Rishe Florida International University School of Computer Science Southwest 8th St. and 107th Avenue University Park Miami, FL 33199



## Journal of Intelligent Manufacturing

Volume 10 Number 6 December 1999 ISSN: 0956-5515

Special issue on Computer-integrated Manufacturing Systems: Recent Development and Applications

#### CONTENTS

ics

ıl

ak

J.S.A.

in the

mal or (CCC) resale.

om the

| MENGCHU ZHOU and YUSHUN FAN<br>Editorial                                                                                                                   | 467 |
|------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|
| PASCAL BERRUET, ABDOUL KARIM ARMAND TOGUYENI,<br>SAMIR ELKHATTABI and ETIENNE CRAYE<br>Tolerance evaluation of flexible manufacturing architectures        | 471 |
| JIACUN WANG and YI DENG<br>Incremental modeling and verification of flexible manufacturing<br>systems                                                      | 485 |
| SRINI RAMASWAMY and YI YAN<br>Interactive modeling and simulation of virtual manufacturing<br>assemblies: An agent-based approach                          | 503 |
| NAIQI WU, NING MAO and YANMING QIAN<br>An approach to partner selection in agile manufacturing                                                             | 519 |
| SEONG JIN YIM and DOO YONG LEE<br>Scheduling cluster tools in wafer fabrication using candidate list<br>and simulated annealing                            | 531 |
| MU DER JENG, CHUNG SHI LIN and YI SHENG HUANG<br>Petri net dynamics-based scheduling of flexible manufacturing<br>systems with assembly                    | 541 |
| PINGTAO YAN, MENGCHU ZHOU, BAOSHENG HU<br>and ZUREN FENG<br>Modeling and control of workstation level information flow in<br>FMS using modified Petri nets | 557 |
| LUCA FERRARINI, LUIGI PIRODDI and STEFANO ALLEGRI<br>A comparative performance analysis of deadlock avoidance control<br>algorithms for FMS                | 569 |
| YUSHUN FAN, SHI WEI and CHENG WU<br>Enterprise wide application integration platform for CIMS<br>implementation                                            | 587 |





Journal of Intelligent Manufacturing is published by Kluwer Academic Publishers Boston/Dordrecht/London Journal of Intelligent Manufacturing (1999) 10, 485-502

## Incremental modeling and verification of flexible manufacturing systems<sup>\*</sup>

JIACUN WANG and YI DENG

School of Computer Science, Florida International University

Received March 1998 and accepted August 1998

An FMS is a typical real-time concurrent system composed of a number of computer-controlled machine tools, automated material handling and storage systems that operate as an integrated system under the control of host computer(s). The growing demand for higher performance and flexibility in these systems and the interlocking factors of concurrency, deadline-driven activities, and real-time decision making pose a significant challenge to FMS design, especially in terms of control and scheduling. A formal engineering approach that helps handle the complexity and dynamics of FMS modeling, design and analysis is needed. A real-time architectural specification (RAS) model and its application in the modeling of flexible manufacturing system (FMS) are presented. RAS combines mature operational and descriptive formal methods, in particular time Petri nets (TPN) and real-time computational tree logic (RTCTL), to form an integrated system model for architectural specification and analysis of real-time concurrent systems such as FMS. The contribution of RAS is twofold: First, it provides a formal system to systematically maintain a strong correlation between (real-time) requirements and design and to verify the conformance of the design to the requirements, which helps enhance traceability and thus to help us to achieve high assurance in design. Second, it offers better scalability in modeling and analysis, which provides an effective way to deal with complexity in the application of formal methods. These two features together make RAS a suitable model for the design of FMS.

*Keywords*: Formal system design, real-time systems, time Petri nets, real-time computational tree logic, flexible manufacturing systems

#### 1. Introduction

Flexible manufacturing systems (FMS) provide a means to achieve better quality, lower cost, and smaller lead-time in manufacturing. An FMS is a typical real-time concurrent system composed of a number of computer-controlled machine tools, automated material handling and storage systems that

\*This work was supported in part by the NSF under Grant No. HDR-9707076, by Air Force Office of Scientific Research under Grant No. F49620-96-1-0221, by Army Research Office under grant No. DAAG55-98-1-0428. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official polices or endorsements either expressed or implied by the above named agencies.

operate as an integrated system under the control of host computer(s). The growing demand for higher performance and flexibility in these systems and the interlocking factors of concurrency, deadline-driven activities, and real-time decision-making pose a significant challenge to FMS design, especially in terms of control and scheduling. Moreover, uncertainty in product demand knowledge, finite manufacturing capacity, random machine failures and repair rates further make the system behavior more dynamic and hard to predict. Given the complexity of the FMS design, an ad hoc method is clearly inadequate and a more rigorous approach addressing the complexity and dynamics in FMS modeling, design, and analysis is needed (Elmaraghy and Ravi, 1992).

In recent years, formal techniques such as Petri nets

ıl. n. to n, nd SS del cal co. its. et of lity, i to tion and nes. ches pace 15. J. tems iring ctur-If. A. y in xible )6) A FMS. th an Proc. t des inces: striels, 486

have been increasingly used in FMS modeling (see Section 2). As a popular modeling tool for concurrent and distributed systems, Petri nets provide a rigorous and operational way to describe and analyze system properties. In addition to its rigor and analytic capability, Petri net models are executable, and thus can be used as a system prototype for simulation. Furthermore, Petri nets are capable of describing both software and hardware, system and environment, at different levels of abstraction. These strengths make Petri nets a powerful modeling tool for FMS.

While offering many advantages, however, ordinary Petri net models suffer from some problems that limit their usability and application as a design model for complex FMS. Petri net-based models tend to become too large even for a modest-sized problem (Murata, 1989). The primary concern of Petri nets, like many other formal techniques, is behavior modeling and analysis. They, however, lack mechanisms to structure complex designs in such a way that both helps enforce design integrity and provide a systematic and incremental way for design and analysis. For example, in an FMS, the physical configuration and the functional behavior of its hardware components, e.g., machine tools and AGVs, are quite stable and static. The central issues of design are the coordination, control, and scheduling of these components. For a complex FMS, it is necessary to experiment with different alternatives of control and scheduling policies against the same hardware configuration. It is therefore highly desirable to be able to "plug-in" the specifications of various control modules to a FMS model without having to make major changes or reconstruct the entire system model each time. Most Petri net-based models do not provide explicit or adequate support to this task.

In this paper, we go beyond conventional Petri nets modeling and present an integrated formal method to support scalable and evolutionary design of real-time concurrent systems from the perspective of timedependent architectural modeling and analysis. Our approach is based on two basic hypotheses: (1) The ability to systematically maintain a strong correlation between requirement and design at every design level is the basis to achieve quality design. An effective way to achieve such strong design traceability is to incorporate (real-time) requirement constraints as an integral part of design modeling. (2) Constraint-driven compositional analysis sensibly integrated as a part of design process is a powerful means to control Wang and Deng

complexity and cost in analysis. Based on these principles, we have developed the Real-time Architectural Specification (RAS) model (Deng et al., 1997). RAS is built on top of Time Petri nets (TPN) (Berthomieu and Diaz, 1991) and Real-Time Computational Tree Logic (RTCTL) (Emerson and Mok et al., 1992). Petri nets are a well-known operational model best suited for modeling the control of distributed systems but cumbersome for specifying rules and constraints. By contrast, temporal logic, a popular descriptive formalism, is best suited for describing rules and constraints but not control and composition of systems. By integrating them into one coherent architectural model, RAS establishes two desirable features: First, it provides a formal system to systematically maintain a strong correlation between (real-time) requirements and design and to verify the conformance of the design to the requirements. Second, it offers better scalability in modeling and analysis and provides an effective way to deal with complexity in the application of formal methods. These two features together make RAS a suitable model for the design of FMS.

The rest of the paper is arranged as following: Related work is discussed in Section 2. The RAS model, including its conceptual framework and formal definition, is given in Section 3. In Section 4, we illustrate the use of RAS to give an incremental modeling of an FMS. Finally, in Section 5, we propose an incremental verification technique based on the RAS model. The formal description of a set of component-level TPN reduction rules which support our incremental verification technique are given in Appendix.

#### 2. Related work

Petri nets have been applied to the specification, verification, performance analysis, real-time control and simulation of FMS. Net-based models have also been used to obtain production rates, throughput, delays, capacity, resource utilization, reliability measures and deadlock avoidance for FMS. The details of these applications can be found in surveys in (D'souza and Khator, 1994; Shukla and Chen, 1997). Some typical uses of Petri nets in FMS modeling are listed below (Brussel *et al.*, 1993; Camurri *et al.*, 1993; Huang and Chang, 1992; Knapp and Wang, 1992; Lin and Lee, 1995; Meng *et al.*, 1995; Qadri and

al.

]

net

pro

goa atic

con

syst

moc

Bru al.,

et a

199

and

are

net (

cert:

Hov

sem

A n

Nets

form

abili

F mod

Zh

Robbi, 1994; Solot and Vliet, 1994; Wang, 1996; Zhou and Dicesare, 1992; Zhou *et al.*, 1993; Zhou *et al.*, 1995; Zuberek, 1995):

- Nets can be used as a graphical modeling tool to visualize complex control structure and systems behavior.
- The nets notation precisely captures the precedence relations and structural interactions of stochastic, concurrent and asynchronous events, which can be used to support the development of operating strategies for work scheduling and job sequencing.
- The executibility of Petri net models enables them to be used as simulation tools to evaluate control and scheduling policies.
- Real-time Petri net models can be used to design and implement real-time control systems.
- Their analytical capability supports deadlock detection, performance evaluation, and verification of real-time schedulability.
- Conflicts and buffer sizes can be modeled easily and efficiently.
- Net models can help identify production bottlenecks, and to assess the capacity and utilization of equipment.

Those studies deal with the issue of how to use Petri nets to address specific modeling and analysis problems in FMS. We address a different issue. Our goal is to develop an engineering practice to systematically and cost-effectively apply Petri net theory in complex FMS modeling, design and analysis.

Related to our approach, several structural Petri net models are proposed both to provide a mechanism for system composition and to manage complexity in modeling. These include PROTOB (Baldasssri and Bruno, 1991), OBJSA nets (Battiston and Cindio et al., 1988), the Cooperative Objects Language (Bastide et al., 1993), and OPNets (Emerson and Mok et al., 1992). An application of OPNets in FMS modeling and analysis is presented in (Wang, 1996), where they are used to represent part of an object-oriented Petri net cell control model. Each of these models provides certain object-based structure for system composition. However, none of these models has a formal semantics for modeling timing and timed behavior. A more recent model, Communicating Time Petri Nets (CmTPN) (Bucci and Vicario, 1995), has a formal semantics about time, and supports reachability-based compositional verification.

On the opposite side of Petri nets are various logicbased models. Logic provides a more abstract approach to the description and analysis of FMS. In temporal logic, various temporal operators are provided to describe and reason about how the truthvalue of assertions varies over time. It has proven to be a very useful formalism for reactive systems (Pnueli, 1977). RTCTL (Emerson *et al.*, 1992), a real time propositional branching time logic, has been a popular choice for describing real time systems like FMS. It allows us to express various desired types of behavior, including safety, liveness, and boundedfairness.

As an operational model, Petri nets (with structural extensions) are well suited to model FMS as abstract programs, which can be formulated as the parallel composition of subsystems. However, it is cumbersome for describing system requirements. As a descriptive model, temporal logic is appropriate for specifying rules and constraints. However, it does not reflect the component/interaction view relevant for design level specification of FMS. So, when used alone, neither of these two methods is sufficient for architecture modeling of an FMS. In Mandrioli et al. (Mandrioli et al., 1995), the advantage of using the TRIO logic and TPN together for system specification and verification are suggested and explored. Unlike our work on RAS, however, it is unclear to us what the concrete objective of the suggested integration would be. Moreover, a formal framework was yet to be developed to show how to integrate TRIO with Petri nets.

#### 3. RAS models

In this section, we first give a conceptual framework of the RAS model. Then we give a brief introduction to TPN and RTCTL, two underlying formal methods of our RAS model. Finally, we formalize the RAS notation.

#### 3.1. Conceptual framework of RAS model

Our goal is to develop both a rigorous approach to enhance the integrity of design and an evolutionary process to control complexity in system modeling and analysis. To the end, RAS models a distributed system as a multi-leveled composition of components and real-time constraints that the components and their

?ng 3Se me et ets me ind wn rol ing , a for ind me WO 1 to ten the its. ind 'ith ds. ble ng: AS ind

14,

ital

ose

the

of

ort

in

trol ilso put, lity The s in 97). are *al.*, ung,

and

on,

compositions must satisfy at every design level. As refinement to the system design goes on, these architectural constraints are also decomposed and propagated to the lower levels of system architecture (possibly new constraints are introduced). The consistency between higher-level and lower-level design constraints are either automatically maintained or verified to ensure consistency and progressive characteristics of analysis.

More specifically, an RAS model consists of three basic elements: *component models*, *inter-component connections* (*connections* in brief), and *architectural constraints* (*constraints* in brief) organized into multi-design levels. The component models describe the real-time behavior and communication interface of the components. The connections specify how the components interact with each other and, in turn, form the *system composition model*. Finally, the constraints define real-time system requirements imposed on the components and connections. All connections are defined using only communication interfaces, which gives us the flexibility to change the design of individual components without voiding the analysis of the entire system.

A typical RAS model is illustrated in Fig. 1. The high-level design has three components—A1, A2, and A3. Component A3 is further refined at the next design level into the composition of components B1, B2, and

Wang and Deng

B3. The design at any level must satisfy the constraints specified at that level. A component model has two parts: (1) communication ports (denoted graphically by half circles), including input ports (e.g., port7) and output ports (e.g., port8), and (2) a TPN that describes the time-dependent, operational behavior of the component, that is, it defines the semantics associated with the ports. The communication between a component and its environment is solely through the ports. A connection represents a channel of interaction between components. It is modeled by a simple TPN and defines the direction of message flow and delay in the channel. For example, components A1 and A2 have a requestreply relationship that is modeled by the bi-directional channel. At any given design level, ports can also be divided into external ports, e.g., port1, and internal ports, e.g., port3 and port4. An internal port describes interaction between components within a system (or subsystem), while an external port describes the inputs and outputs from and to the environment of a system (or subsystem).

In addition to serving as a component's communication interface, the ports also provide the *linkage* between the operational design (components and connections) and the descriptive architectural constraints. In particular, time-critical system constraints are specified by RTCTL formulas defined over ports,



Fig. 1. Framework of the RAS model.

3.2. 1

In thi and metho

whe

whi

port

proj

con

only

reve

take

with

proc

is (

mod

that

boxe

of a

arch

syste

guar

men

oblig

cons

cons

the s

cons

deriv

origi

main

invol ensui these

deriv archi logic const const timeenvir

const

comp const mess: norm wide)

Fr

where each port represents an atomic proposition, which is true at the moment that a token arrives in the port. These ports constitute the alphabet (atomic propositions) of the RTCTL formulas that define the constraints. All constraints are specified using ports only, no internal information about the components is revealed. For example, constraint  $c_1$  limits the time taken in a request-reply interaction between A1 and with A2, and constraint  $c_2$  specifies the required processing time of component A3. This arrangement is critical to achieve the goals of incremental modeling and analysis described earlier, as it ensures that the component designs can be treated as blackboxes in the construction, understanding and analysis of a system's architecture. As more detailed system architecture is constructed by decomposing one of the system's components, it becomes possible for us guarantee the satisfaction of system-wide requirements by verifying the new sub-architecture meets its obligation imposed on its interface.

From the viewpoint of origination, architectural constraints are divided into two groups, one is original constraints, which reflect the user's requirements on the system under developed, and the other is derived constraints, which are intermediate constraints derived from original constraints. Notice that while original constraints may indeed be few in number, maintaining functionally correct original values may involve a large set of interacting components. Thus, to ensure these original constraints are satisfied, each of these components will, in turn, be subject to their own derived constraints. From the viewpoint of function, architectural constraints in an RAS model can also be logically divided into three classes: component constraints, environmental constraints, and path constraints. A component constraint describes a time-critical property of a component that its environment expects from it. An environmental constraint describes a time-critical property that a component expects from its environment. A path constraint describes a time-critical property for message transmission across components, which normally describes a system-wide (or subsystemwide) timing requirement.

#### 3.2. Underlying formal methods

In this section, we give a brief introduction to TPN and RTCTL, which are two underlying formal methods of our RAS model.

#### A. Time Petri Nets

#### A TPN is a tuple $(P, T, B, F, M_0, SIM)$ where:

- *P* is a finite nonempty set of places;
- T is a finite nonempty set of transitions;
- *B* is the backward incidence function;
- *F* is the forward incidence function;
- $M_0$  is the initial marking function (P, T, I, O and  $M_0$  together define a Petri net);
- SIM is a mapping called static interval,  $SIM: T \rightarrow Q^* \times (Q^* \cup \infty)$ , where  $Q^*$  is the set of positive rational numbers.

Let  $SIM(t_I) = (\alpha^S, \beta^S)$  for some transition  $t_i$ , then the interval of numbers  $(\alpha_i^s, \beta_i^s)$  is called the *static* firing interval of transition  $t_i$ , the left bound  $\alpha_i^s$  the static earliest firing time (state EFT for short), and the right bound  $\beta_i^s$  the static latest firing time (static LFT) for short).

A state S of a TPN is a pair S = (M, I) consisting of a marking M and a firing interval set I which is a vector of possible firing times. The number of entries in this vector is given in the number of the transitions enabled by marking M.

Transition t<sub>i</sub> is *firable* from state S = (M, I) at time  $\tau + \theta$  if and only if:

(1)  $t_i$  is enabled by marking M at time  $\tau$ ;

(2) The relative firing time  $\theta$  to the absolute enabling time  $\tau$ , is not smaller than the FET of transition  $t_i$  and not greater than the smallest of the LFT's of all the transitions enabled by marking M, i.e., EFT of  $t_i \leq \theta \leq \min\{\text{LFT of } t_k\}$ , where k ranges over the set of transitions enabled by M.

Assume that transition  $t_i$  be firable at time  $\tau + \theta$ from state S = (M, I). Then the state S' = (M', I')reached from S by firing  $t_i$  at the relative time  $\theta$  can be computed as follows.

(1) M' is computed, for all places p, as  $(\forall p)M'(p) = M(p) - I(t_i, p) + O(t_i, p);$ 

(2) I' is computed in three steps:

- Remove from the expression of *I* the intervals that are related to the transitions disabled when  $t_i$ is fired.
- Shift of the value  $\theta$  towards the origin of times all remaining firing intervals, i.e., the intervals that remain enabled and so remain in I, and truncate them, when necessary, to nonnegative values.
- Introduce in the domain the static intervals of the new transitions enabled.

circum de liverantes devictors in a constant de la de

12

le

nt

ts

ut

ıd

It.

it

le

r-

m

)-

1e

1.

it-

al

be

al

es

or

he

a

u-

20

nd

n-

its

ts.

#### **B.** Real-Time Computational Tree Logic An RTCTL Formula is defined as

- Each atomic proposition P is a formula.
- If p, q are formulae, then so are  $p \wedge q$  and  $\neg p$ .
- If p, q are formulae, then so are A(pUq), E(pUq), and EX p.
- If p, q are formulae and k is any natural number, then so are A(pU<sup>≤k</sup>q) and E(pU<sup>≤k</sup>q).

A formula of RTCTL is interpreted with respect to a temporal structure M = (S, R, L), where S is a set of states, R is a binary relation on S that is total (so each state has at least one successor), and L is a labeling which assigns to each state a set of atomic propositions, those intended to be true at the state. Intuitively, this temporal structure  $\Sigma$  represents the reachability graph of the architecture. A full-path  $x = s_0, s_1, s_2, \ldots$  in  $\Sigma$  is an infinite sequence of states such that  $(s_i, s_{i+1}) \in R$  for each *i*; intuitively, a full-path captures the notion of an execution sequence.

#### 3.3. Formalization of RAS model

An RAS consists of a set of compositions C (a composition may correspond to a design level, or the concept of sub-architecture given in Section 3.1) and a hierarchical mapping h:

$$RAS = (C, h)$$

(1)  $C = (C_1, C_1, \dots, C_k)$ , and  $C_i = \{Cm, Cn, Cs\}$  for each  $C_i$ , where

 Cm is a set of components. Each Cm<sub>j</sub>∈C<sub>m</sub> is defined by a TPN. Let

$$Cm_{j} \cdot PORT \_IN$$

$$= \{p | p \in Cm_{j} \cdot P, *P \cap Cm_{j} \cdot T = \emptyset\}$$

$$Cm_{j} \cdot PORT\_OUT$$

$$= \{p | p \in Cm_{j} \cdot P, P^{*} \cap Cm_{j} \cdot T = \emptyset\}$$

$$Cm_{j} \cdot PORT$$

$$= Cm_i \cdot PORT_IN \cup Cm_i \cdot PORT_OUT$$

 $Cm_j \cdot PORT\_IN$  is called the set of input ports of component  $Cm_j$ ,  $Cm_j.PORT\_OUT$  the set of output ports of  $Cm_j$ , and  $Cm_j.PORT$  the set of ports of  $Cm_j$ . Moreover, for  $\forall Cm_j$ ,  $Cm_k \in Cm$ ,

 $Cm_j \cdot P \cap Cm_k \cdot P = \emptyset$ 

 $Cm_i \cdot T \cap Cm_k \cdot T = \emptyset$ 

• Cn is connection.  $Cn = (P, T, I, O, M_0, SI)$  such that

$$Cn \cdot P \cap \left[ \bigcup_{Cm_j \in Cm} Cmj \setminus Cmj \cdot PORT \right] = \emptyset$$
$$Cn \cdot T \cap \left[ \bigcup_{Cm_j \in Cm} Cmj \cdot T \right] = \emptyset$$

Also, in the TPN of composition  $C_i$ ,

$$Cj \cdot P \cap \left[ \bigcup_{Cm_j \in C_m} Cmj \cdot T \right] \cup Cn \cdot P$$
$$Ci \cdot T \cap \left[ \bigcup_{cm_j \in C_m} Cm_j \cdot T \right] \cup Cn \cdot T$$

Let

 $Cj \cdot PORT = \bigcup_{Cm_j \in C_m} Cmj \cdot PORT,$ 

$$Cmj \cdot PORT \_INT$$
  
= {p|p \in Ci \cdot PORT, \* P \cap Ci \cdot T  
\neq \angle \cap P^\* \cap Ci \cdot T \neq \angle \}

Cmj · PORT\_EXT

$$= \{p | p \in Ci \cdot PORT, *P \cap C_i \cdot T \\ = \emptyset \lor P^* \cap Ci \cdot T = \emptyset \}$$

 $C_i$ . PORT\_INT is called the set of intrenal ports of component  $Cm_j$ ,  $Cmj \cdot PORT\_EXT$  the set of output ports of  $C_i$ , and  $Ci \cdot PORT$  the set of ports of  $C_i$ .

 Cs is a set of constraints. Each Cs<sub>j</sub>∈Cs is an RTCTL formula and it only uses ports as its atomic propositions. The atomic proposition is true The atomic proposition is true at the moment τ iff:

- marking transition happens at  $\tau$ , and

- the port contains a token in the new marking. In the temporal structure  $\Sigma = (S, R, L), S$  $= (M, \varphi_M)$  where *M* is a TPN marking, and  $\varphi_M$  is the global time when the TPN enters *M*; *R* is a binary relation on *S*, which is indicated by Ec

CO

s of : of t of

Cm,

leng

such

f ports is an as its tion is

at the

ports

set of

arking. (L), Sg, and (S, M); Rated by Incremental modeling and verification of flexible manufacturing systems

firing transitions; and L is a mapping:  $(M, \varphi_M) \rightarrow Ci \cdot PORT$ . In addition, the following condition is enforced:

$$C_{s_{j} \in C_{s}}^{\wedge} C_{s_{i}} \tag{1}$$

For  $\forall Cs_j \in C_i.Cs$ , denote by  $Csj \cdot PORT$  the set of ports which are used as atomic propositions of  $Cs_j$ . If

 $Csk \cdot PORT \cap Cmj \cdot PORT \neq \emptyset$ we say  $Cs_k$  is defined on  $Cm_j$ ; if

 $Csk \cdot PORT \subseteq Cm_i \cdot PORT$ 

we say  $Cs_k$  is defined only on  $Cm_i$ . Let

$$Cmj \cdot Cs = \{Cs_k | Cs_k \in Ci \cdot Cs \land Csk \\ \cdot PORT \subseteq Cmi \cdot PORT\}$$

(2)  $\forall C_i \in C, \forall Cm_l \in C_i.Cm, h : Cm_l \rightarrow C_j, j \neq i$ , such that

•  $Cml \cdot PORT = Cj \cdot PORT\_EXT$  (2)

• 
$$Cml \cdot Cs \subseteq C_j \cdot Cs.$$
 (3)

In the above definition, Exp. (1) states that all constraints should be consistent with each other, and it gives the *horizontal constraint consistency condition*. Equation 2 states that when refining a component into a sub-architecture which may be composed of several new components, the sub-architecture must take all ports of the component as all its external ports. Equation 3 states that when refining a component into a sub-architecture, the sub-architecture must conform to all constraints which the component are subject to. Such a consistency enforces that the system requirements are met in every step of the design process. Equations 2 and 3 together give the *vertical interface consistency conditions*.

For example, in the RAS model shown in Fig. 1,

$$C1 \cdot Cm = \{A1, A2, A3\}, C_2 \cdot Cm$$
  
= {B1, B2, B3}, h(C<sub>1</sub> \cdot Cm \cdot A3) = C<sub>2</sub>  
$$C1 \cdot Cn = \{c_1, c_2\}, C_2 \cdot Cn = \{c_2\}$$

 $C = (C_1, C_2)$ 

 $A1 \cdot PORT = \{port1, port2, port3, port9, port10\}$ 

 $A1 \cdot PORT\_IN = \{port1, port3, port9\}, A1 \cdot PORT\_OUT$  $= \{port2, port10\}$ 

 $C1 \cdot PORT = \{port1, port2, ..., port10\}$ 

 $= \{port2, port3, ..., port9\}, C1 \cdot PORT\_EXT$  $= \{port1, port10\}$ 

$$C2 \cdot PORT\_EXT = \{port7, port8\}$$
$$= C1 \cdot Cm \cdot A3 \cdot PORT$$

$$C1 \cdot Cn = \{c_1, c_2\}, C2 \cdot Cn = \{c_2\}$$
$$= C1 \cdot Cm \cdot A3 \cdot Cn$$

#### 4. Incremental modeling of an FMS

In this section, we illustrate the use of RAS to model an FMS. This will further explain the RAS framework as well as illustrate the benefits of using the RAS framework. We focus on the timing properties of an FMS, which is closely related to the execution delay of each activity of the system.

#### 4.1. Overview of the system

The manufacturing system is composed of three subsystems: processing, checking, and repairing subsystems. These three subsystems run concurrently. The processing subsystem is composed of 7 machines, indicated as M1–7. Two types of workpieces, indicated as W1 and W2, are processed and then assembled into a new one, indicated as W3. The processing flow is shown in Fig. 2. That is, W1 and W2 are first processed by M1 and M2, which results in W1<sup>(1)</sup> and W2<sup>(1)</sup>, respectively. Next, W1<sup>(1)</sup> is processed by either M3 or M5, which results in W1<sup>(2)</sup>, then by either M4 or M6, which results in W1<sup>(3)</sup>; W2 is processed by either M3 or M4, which results in W2<sup>(3)</sup>, then by either M5 or M6, which results in W2<sup>(3)</sup>. Finally, W1<sup>(3)</sup> and W2<sup>(3)</sup> are further



Fig. 2. The processing flow of the processing subsystems.

Wang and Deng



Fig. 3. The processing flow of the repairing subsystems.

assembled by M7 into W3. W3 is the product of the processing subsystem.

After receiving a product from the processing subsystem, the checking subsystem examines whether the product satisfies quality control conditions. If it does, then the product will be sealed and output as the final product of the whole system. If it doesn't, it will be sent to the repairing subsystem for repair. When the repairing activity is finished, it will be returned to the checking subsystem and sealed.

The repairing subsystem is composed of 4 machines, indicated by M8–M11, as shown in Fig. 3. An unqualified product W3 of the processing subsystem is first disassembled by M8 into two workpieces,  $W1^{(3)}$  and  $W2^{(3)}$ .  $W1^{(3)}$  and  $W2^{(3)}$  are processed by M9 and M10, which results in  $W1^{(4)}$  and  $W2^{(4)}$ , respectively. Then,  $W1^{(4)}$  and  $W2^{(4)}$  are assembled by M11 into  $W3^{(1)}$ , which is then returned to the checking subsystem.

In addition, there are two vehicles, vehicle 1 and vehicle 2, responsible for the transfer of products between processing and checking subsystems and between checking and repairing subsystems, respectively.

The requirements for timing properties of this FMS design include:

(1) The processing time of the processing subsystem for each pair of workpieces is not longer than 25 time units.

(2) The processing time of the checking subsystem for each product of the processing subsystem is not longer than 12 time units.

(3) After the checking subsystem sends an unqualified product to the repairing subsystem, it must receive the repaired product within 10 time units.

#### 4.2. RAS architecture of the system

In order to capture the profile of the operational model of the manufacturing system, we first present its RAS



Fig. 4. RAS architecture of the FMS.

architecture in Fig. 4, where each component is corresponding to a subsystem, namely the processing subsystem is viewed as component PS, the checking subsystem as CS, and the repairing subsystem as RS. Table 1 and Table 2 show the meanings of all ports and connection transitions.

#### 4.3. Architectural constraints imposed on the system

In this section, we give the RTCTL formulae for the three constraints of the FMS design. The first constraint,  $c_1$ , is

$$c_1: port1 \rightarrow AF^{\leq 25} port2$$

which is a component constraint and states that the processing time of the processing subsystem for each pair of workpieces is not longer than 25 time units. The second constraint,  $c_2$ , is

$$c_2: port3 \rightarrow AF^{\leq 12} port4$$

which is also a component constraint and states that the processing time of the checking subsystem for each product of the processing subsystem is not longer than 12 time units. The third constraint,  $c_3$ , is

$$c_3: port5 \rightarrow AF^{\leq 20} port6$$

which is an environmental constraint and states that after the checking subsystem sends an unqualified product to the repairing subsystem, it must receive the repaired product within 20 time units.

The importance of this step is twofold: First, the global system requirements are transformed into

492

 $T_5$ 

Tal Por por por

por

por.

por

pori

pori

spe

moj

tem

Cor

wha

glol

we

of tl

arch

low requ

by f

arch

nent

desc

incc

as imp

Inc

| Manual and a state of the state |                 |                                                                                                          |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|----------------------------------------------------------------------------------------------------------|
| Port                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Туре            | Description                                                                                              |
| port1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | input/external  | A pair of workpieces are ready for processing                                                            |
| port2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | output/internal | The processing of a product at the processing subsystem is finished                                      |
| port3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | input/internal  | A product of the processing subsystem is ready for quality checking                                      |
| port4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | output/external | A product of the whole system is available                                                               |
| port5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | output/internal | A unqualified product of the processing subsystem is ready to be transferred to the repairing subsystem. |
| port6                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | input/internal  | A repaired product is ready for processing by the checking subsystem                                     |
| port7                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | input/internal  | A unqualified product of the processing subsystem is ready for repairing                                 |
| port8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | output/internal | The repairing of a unqualified product is finished                                                       |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                 |                                                                                                          |

Table 1. Legends of ports in Fig. 4

specific constraints on this particular architecture, more precisely, constraints imposed on the subsystems and connections between the subsystems. Consequently, we gain a clear understanding about what role each subsystem plays in satisfying the global requirements. This also eases analysis as now we deal with specific conditions imposed on each part of the system as oppose to requirement to the system as a whole. This feature becomes increasingly important as we approach to more detailed levels of architectural design where the association between a low-level system component and a system-wide requirement becomes much harder to grasp. Second, by formalizing time-critical requirements in terms of architectural constraints (based solely on the component interfaces), it not only removes ambiguity in the description, but also makes it easier to detect possible inconsistency or conflict between different (competing) requirements.

### 4.4. Operational model of each component (subsystem)

In this step, we use TPN as a tool to define the operational behavior of each component. Using the Petri net design methodologies, we can synthesize an ordinary Petri net model for a component based on its operations relationship among these operations. After we get such an ordinary Petri net, giving time requirements for various operation results in a TPN model, in which every transition is associated with an appropriate time delay interval.

The operational model of components are shown as in Figs. 5, 6 and 7, and the legends of places and transitions involved in these models are listed in Tables 3, 4, and 5. Here, we use a thin bar to represent an immediate transition, and we use a thick bar to model timed transition. In Fig. 6, t32 and t33 form a random switch. We assume that the probabilities for

#### Table 2. Legends of places and transitions in Fig. 4

| Place                 | Description                                                                        |                 |
|-----------------------|------------------------------------------------------------------------------------|-----------------|
| $\overline{P_1}$      | Vehicle 2 is available                                                             |                 |
| $P_2$                 | Vehicle 2 is transferring the unqualified product to the repairing system          |                 |
| <i>P</i> <sub>3</sub> | Vehicle 2 is transferring the repaired product back to the checking system         |                 |
| Transition            | Description                                                                        | Firing Interval |
| $T_1$                 | Vehicle 1 transfers the product of the processing subsystem to the checking system | [1,2]           |
| $T_2$                 | Vehicle 2 begins transferring the unqualified product to the repairing system      |                 |
| $T_3$                 | Vehicle 2 ends transferring the unqualified product to the repairing system        | [1, 2]          |
| $T_4$                 | Vehicle 2 begins transferring the repaired product back to the checking system     |                 |
| $T_5$                 | Vehicle 2 ends transferring the repaired product back to the checking system       | [1, 2]          |

ng

rt4

orts

is

ing

ing

RS.

*tem* the first

the ach nits.

that for nger

that ified e the

, the into

Wang and Deng



Fig. 5. The operational model of the processing subsystem.

these two transitions are 0.9 and 0.1, respectively. This information is necessary when we verify the system's constraints.

So far, we have got a complete, executable and analyzable formal model that represents the top-level design of the manufacturing system. Next, we consider the refinement of the FMS model.

#### 4.5. Support for incremental design of the FMS

In this section, we further discuss the incremental nature of RAS in the architectural modeling of the FMS. We illustrate the refinement of component of checking-subsystem (CS) into a sub-architecture which is composed of four components. Such an



Fig. 6. The operational model of the checking subsystem.

ability is necessary to make a modeling approach scale up.

Figure 8 shows the RAS sub-architecture of the refined checking subsystem, which is composed of four components, namely Checking Center, Analysis Unit I, Analysis Unit II, and Sealing Unit. After receiving a product from the processing subsystem, the checking center does some checking operations and then sends the resulting data to the two analysis units for analysis (T11 and T13 fire). After the data analysis, the two analysis units return the analysis results to the checking center (T12 and T14 fires). The checking center then fuses the analysis results and determines if the product satisfies quality control conditions. If it does (T15 fires), then the product will be sealed and output as the final product of the whole system. If it doesn't (T16 fires), it will be sent to the repairing subsystem for repair. When the repairing activity is finished, it will be returned to the sealing



Fig. 7. The operational model of the repairing subsystem.

| Place                                                                                                                                                                                                                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                                                                                      |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|
| pi, $i = 1, 2, 3, 4$                                                                                                                                                                                                                                                               | Mj is available, $j = i + 2$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                      |
| o5 (p6)                                                                                                                                                                                                                                                                            | W1 (W2) is ready for processing at M1 (M2)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                      |
| $p_{17}^{(12)}(108)$                                                                                                                                                                                                                                                               | $W1^{(1)}$ ( $W2^{(1)}$ ) is ready for processing at either M3 or M5 (M4)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                      |
| $p_{0}(p_{0})$                                                                                                                                                                                                                                                                     | $W1^{(1)}$ is under processing by M3 (M5)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                      |
| (p10)                                                                                                                                                                                                                                                                              | $W2^{(1)}$ is under processing by M3 (M4)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                      |
| (p12)                                                                                                                                                                                                                                                                              | $W1^{(2)}$ (W2 <sup>(2)</sup> ) is ready for processing at either M4 (M5) or M6                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                                                                                                                                      |
| (p14)                                                                                                                                                                                                                                                                              | $W1^{(2)}$ is under processing by M4 (M6)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                      |
| $p_{17}(p_{18})$                                                                                                                                                                                                                                                                   | $W2^{(2)}$ is under processing by M5 (M6)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                                                                                      |
| p19 (p20)                                                                                                                                                                                                                                                                          | $W1^{(3)}$ (W2 <sup>(3)</sup> ) is ready for processing at either M4 (M5) or M6                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 2                                                                                                                                    |
| Transition                                                                                                                                                                                                                                                                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Firing Interval                                                                                                                      |
| 1                                                                                                                                                                                                                                                                                  | A pair of workpieces are loaded onto the two machines                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | [1, 2]                                                                                                                               |
| (12) (13)                                                                                                                                                                                                                                                                          | M1 (M2) processes W1 (W2)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | [2, 4]                                                                                                                               |
| 2(13)                                                                                                                                                                                                                                                                              | M3 (M5) begins processing $W1^{(1)}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                                                      |
|                                                                                                                                                                                                                                                                                    | M3 (M4) begins processing $W2^{(1)}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |                                                                                                                                      |
| (t/)                                                                                                                                                                                                                                                                               | M3 (M5) ends processing $W1^{(1)}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | • [2, 4]                                                                                                                             |
| 0 (19)<br>10 (+11)                                                                                                                                                                                                                                                                 | M3 (M4) ends processing $W^{(1)}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | [2, 4]                                                                                                                               |
| .10 (111)                                                                                                                                                                                                                                                                          | $M_{1}$ (M6) begins processing $W^{(2)}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | · · · · ·                                                                                                                            |
| .12 (113)                                                                                                                                                                                                                                                                          | M5 (M6) begins processing $W^{(2)}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |                                                                                                                                      |
| 14 (LIS)                                                                                                                                                                                                                                                                           | $M_{1}$ (M6) and processing $W_{1}^{(2)}$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | [2, 4]                                                                                                                               |
| .16 (t17)                                                                                                                                                                                                                                                                          | W4 (W0) ends processing $W1$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | [2, 4]                                                                                                                               |
| .18 (t19)                                                                                                                                                                                                                                                                          | $W_3$ ( $W_0$ ) ends processing $W_2$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | [2, 4]                                                                                                                               |
| Table 4. Legends of p                                                                                                                                                                                                                                                              | M/ assembles w1 <sup>-2</sup> and w2 <sup>-2</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                      |
| 20<br>Table 4. Legends of p<br>Place                                                                                                                                                                                                                                               | M/ assembles w10 and w20                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                                                                                      |
| 20<br><b>Table 4.</b> Legends of p<br><i>Place</i><br>p31                                                                                                                                                                                                                          | M/ assembles w1 <sup>-2</sup> and w2 <sup>-2</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                      |
| 20<br><b>Fable 4.</b> Legends of p<br><i>Place</i><br>p31<br>p32                                                                                                                                                                                                                   | M/ assembles w1 <sup>cr</sup> and w2 <sup>cr</sup>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                      |
| 20<br><b>Fable 4.</b> Legends of p<br><i>Place</i><br>031<br>032<br>033                                                                                                                                                                                                            | M/ assembles W1 <sup>-0</sup> and W2 <sup>-1</sup><br>places and transitions in Fig. 6<br>Description<br>Checking result is available<br>Ready for sealing<br>Ready for being loaded onto the vehicle                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                      |
| 20<br><b>Table 4.</b> Legends of p<br><i>Place</i><br>p31<br>p32<br>p33<br><i>Transition</i>                                                                                                                                                                                       | M/ assembles w1 and w2 | Firing Interva                                                                                                                       |
| 20<br><b>Fable 4.</b> Legends of p<br><i>Place</i><br>031<br>032<br>033<br><i>Transition</i><br>131                                                                                                                                                                                | M/ assembles w10 and w20<br>places and transitions in Fig. 6<br>Description<br>Checking result is available<br>Ready for sealing<br>Ready for being loaded onto the vehicle<br>Description<br>Checking the product                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Firing Interva<br>[2,4]                                                                                                              |
| 20<br><b>Table 4.</b> Legends of p<br>Place<br>p31<br>p32<br>p33<br><i>Transition</i><br>t31<br>t32                                                                                                                                                                                | M/ assembles w1% and w2%  blaces and transitions in Fig. 6  Description  Checking result is available Ready for being loaded onto the vehicle  Description  Checking the product The product passes the test                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Firing Interva<br>[2,4]                                                                                                              |
| 20<br><b>Table 4.</b> Legends of p<br><i>Place</i><br>p31<br>p32<br>p33<br><i>Transition</i><br>t31<br>t32<br>t33                                                                                                                                                                  | M/ assembles w1% and w2%  blaces and transitions in Fig. 6  Description  Checking result is available Ready for being loaded onto the vehicle  Description  Checking the product The product passes the test The product doesn't pass the test                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | <i>Firing Interva</i> [2,4]                                                                                                          |
| 120 <b>Table 4.</b> Legends of p         Place         p31         p32         p33         Transition         131         132         133         134                                                                                                                              | M/ assembles w1% and w2%  blaces and transitions in Fig. 6  Description  Checking result is available Ready for being loaded onto the vehicle  Description  Checking the product The product passes the test The product doesn't pass the test The subsystem seals the product                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | <i>Firing Interva</i><br>[2,4]<br>[2,4]                                                                                              |
| 120         Table 4. Legends of p         Place         p31         p32         p33         Transition         t31         t32         t33         t34         t35                                                                                                                 | M/ assembles w1% and w2%  blaces and transitions in Fig. 6  Description  Checking result is available Ready for being loaded onto the vehicle  Description  Checking the product The product passes the test The product doesn't pass the test The subsystem seals the product The subsystem loads the product onto the vehicle                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | <i>Firing Interva.</i><br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]                                                                  |
| 220<br><b>Table 4.</b> Legends of p<br><i>Place</i><br>p31<br>p32<br>p33<br><i>Transition</i><br>t31<br>t32<br>t33<br>t34<br>t35<br>t36                                                                                                                                            | M/ assembles w1 or and w2 or operations in Fig. 6 Description Checking result is available Ready for sealing Ready for being loaded onto the vehicle Description Checking the product The product passes the test The product doesn't pass the test The subsystem seals the product The subsystem loads the product from the vehicle                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | <i>Firing Interval</i><br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]                                                                  |
| Table 4. Legends of p         Place         p31         p32         p33         Transition         t31         t32         t33         t34         t35         t36         Table 5. Legends of p                                                                                   | M/ assembles w1 or and w2 or an                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | <i>Firing Interval</i><br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]                                                         |
| Table 4. Legends of p         Place         p31         p32         p33         Transition         t31         t32         t33         t34         t35         t36         Table 5. Legends of p         Place                                                                     | M/ assembles W1 <sup>er</sup> and W2 <sup>er</sup> blaces and transitions in Fig. 6  Description  Checking result is available Ready for being loaded onto the vehicle  Description  Checking the product The product passes the test The product doesn't pass the test The subsystem seals the product The subsystem loads the product onto the vehicle The subsystem unloads the product from the vehicle blaces and transitions in Fig. 7  Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | <i>Firing Interva.</i><br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]                                                                  |
| Table 4. Legends of p         Place         p31         p32         p33         Transition         t31         t32         t33         t34         t35         t36         Table 5. Legends of p         Place         p61 (p62)                                                   | M/ assembles W1 <sup>(3)</sup> and W2 <sup>(4)</sup><br>places and transitions in Fig. 6<br>Description<br>Checking result is available<br>Ready for sealing<br>Ready for being loaded onto the vehicle<br>Description<br>Checking the product<br>The product passes the test<br>The product doesn't pass the test<br>The subsystem seals the product<br>The subsystem loads the product onto the vehicle<br>The subsystem unloads the product from the vehicle<br>blaces and transitions in Fig. 7<br>Description<br>W1 <sup>(3)</sup> (W2 <sup>(3)</sup> ) is ready for processing at W9 (W10)<br>W1 <sup>(4)</sup> (W2 <sup>(4)</sup> ) is ready for processing at W9 (W10)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | <i>Firing Interval</i><br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]                                                                  |
| 20<br><b>Table 4.</b> Legends of p<br><i>Place</i><br>p31<br>p32<br>p33<br><i>Transition</i><br>131<br>132<br>133<br>134<br>135<br>136<br><b>Table 5.</b> Legends of p<br><i>Place</i><br>p61 (p62)<br>p63 (p64)                                                                   | M/ assembles w10 <sup>o</sup> and w2 <sup>o</sup><br>places and transitions in Fig. 6<br>Description<br>Checking result is available<br>Ready for sealing<br>Ready for being loaded onto the vehicle<br>Description<br>Checking the product<br>The product passes the test<br>The product doesn't pass the test<br>The subsystem seals the product<br>The subsystem loads the product onto the vehicle<br>The subsystem unloads the product from the vehicle<br>blaces and transitions in Fig. 7<br>Description<br>W1 <sup>(3)</sup> (W2 <sup>(3)</sup> ) is ready for processing at W9 (W10)<br>W1 <sup>(4)</sup> (W2 <sup>(4)</sup> ) is ready for processing at W11                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | <i>Firing Interva</i><br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]                                                                   |
| 20 <b>Table 4.</b> Legends of p         Place         p31         p32         p33 <i>Transition</i> t31         t32         t33         t34         t35         t36 <b>Table 5.</b> Legends of p         Place         p61 (p62)         p63 (p64) <i>Transition</i>               | M/ assembles W1 <sup>-0</sup> and W2 <sup>-1</sup><br>places and transitions in Fig. 6<br>Description<br>Checking result is available<br>Ready for sealing<br>Ready for being loaded onto the vehicle<br>Description<br>Checking the product<br>The product passes the test<br>The product doesn't pass the test<br>The subsystem seals the product<br>The subsystem loads the product onto the vehicle<br>The subsystem unloads the product from the vehicle<br>blaces and transitions in Fig. 7<br>Description<br>W1 <sup>(3)</sup> (W2 <sup>(3)</sup> ) is ready for processing at W9 (W10)<br>W1 <sup>(4)</sup> (W2 <sup>(4)</sup> ) is ready for processing at W11<br>Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Firing Interva<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]<br>[2,4]                                                                 |
| 120 <b>Table 4.</b> Legends of p         Place         p31         p32         p33 <i>Transition</i> t31         t32         t33         t34         t35         t36 <b>Table 5.</b> Legends of p <i>Place</i> p61 (p62)         p63 (p64) <i>Transition</i> t61                   | M/ assembles W1 <sup>(3)</sup> and W2 <sup>(4)</sup> places and transitions in Fig. 6  Description  Checking result is available Ready for sealing Ready for being loaded onto the vehicle  Description  Checking the product The product passes the test The product doesn't pass the test The subsystem seals the product The subsystem loads the product onto the vehicle The subsystem unloads the product from the vehicle  places and transitions in Fig. 7  Description  W1 <sup>(3)</sup> (W2 <sup>(3)</sup> ) is ready for processing at W9 (W10) W1 <sup>(4)</sup> (W2 <sup>(4)</sup> ) is ready for processing at W11  Description  M8 disassembles W3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Firing Interva<br>[2, 4]<br>[2, 4]<br>[2, 4]<br>[2, 4]<br>[2, 4]<br>Firing Interva<br>[2, 4]                                         |
| 120 <b>Table 4.</b> Legends of p         Place         p31         p32         p33 <i>Transition</i> t31         t32         t33         t34         t35         t36 <b>Table 5.</b> Legends of p <i>Place</i> p61 (p62)         p63 (p64) <i>Transition</i> t61         t62 (t63) | M7 assembles $W1^{(3)}$ and $W2^{(3)}$<br>places and transitions in Fig. 6<br>Description<br>Checking result is available<br>Ready for sealing<br>Ready for being loaded onto the vehicle<br>Description<br>Checking the product<br>The product passes the test<br>The product doesn't pass the test<br>The subsystem loads the product<br>The subsystem loads the product from the vehicle<br>The subsystem unloads the product from the vehicle<br>blaces and transitions in Fig. 7<br>Description<br>$W1^{(3)} (W2^{(3)})$ is ready for processing at W9 (W10)<br>$W1^{(4)} (W2^{(4)})$ is ready for processing at W11<br>Description<br>M8 disassembles W3<br>M9 (M10) processes $W1^{(3)} (W2^{(3)})$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Firing Interva<br>[2, 4]<br>[2, 4]<br>[2, 4]<br>[2, 4]<br>[2, 4]<br>[2, 4]<br>Firing Interva<br>[2, 4]<br>[2, 4]<br>[2, 4]<br>[2, 4] |

Table 3. Legends of places and transitions in Fig. 5

port8

ng

ach

the . of ysis fter em, ons ysis lata ysis The and itrol will nole the ring ling 495



Fig. 8. Refinement of the checking subsystem.

unit and sealed. Notice that the connection transitions T15 and T16 are the same as t32 and t33 in Fig. 6.

As pointed out in Section 3.3, this refined subarchitecture must satisfy two vertical consistency conditions. The ports of the old component design shown in Fig. 6 have been totally inherited by the subarchitecture; we also need to ask the sub-architecture conform to all constraints which the old component design are subject to. Otherwise, we cannot safely plug the new component into the system's RAS model. From the top-level RAS model we know that component CS is subject to a component constraint  $c_2$ and has a requirement of environmental constraint  $c_3$ . Therefore, this sub-architecture must satisfy  $c_2$ whenever the environmental constraint  $c_3$  is satisfied.

The next important issue of our RAS model is the verification of constraints against the system operational model. We address it in the next section.

#### 5. Constraint-driven compositional verification

The modular nature of RAS model and its emphasis on maintaining a strong correlation between design and requirements provide a natural support for incremental verification and for enforcing conformance of the design to the requirements. We have developed a two dimensional incremental verification technique that helps to achieve these benefits. In this section, we briefly introduce our verification technique and illustrate its illustrated its working on the FMS described in Section 4. Wang and Deng

In

P

Fis

the

ac

on

Sta

co

TF

the

of.

de:

De

Le.

an

pa.

poi

cai

en

is :

De

Lei

anc

pai

рог

pas

env

son

pai: J

paiı

Fig.

reacl

follo

F

A general framework for our RAS verification technique can be described as follows: The process of verification is driven by showing that the components and their composition satisfy their corresponding constraints at every design level. We cut down the verification complexity by supporting horizontal as well as vertical composition-ability. At any given level, verification proceeds by analyzing the components against their corresponding component constraints one at a time and then composing these results to deduce system-wide properties as specified by connection and cross-connection constraints at that level. Thus, the complexity of analysis is proportional to the size and number of components, rather than the size of the entire model. After a design has been verified at a given level, it is further refined into lower level design. The high level constraints are propagated to the lower level. Then the design at the lower level is checked against the lower level constraints, and the refinement process continues. At every level, we make sure that the constraints are consistent with the constraints at the parent level so that a verified lowerlevel design can be safely plugged into its parent level architecture without having to reverify the entire model.

The salient features of our technique are: (1) it enforces design integrity by maintaining a tight combination of design and system requirements and (2) it reduces the verification complexity by introducing many component-level reduction rules.

We first describe the verification algorithm for a given level of design. Then we discuss the verification across design levels. We assume that we have proved that all constraints are consistent each other.

#### 5.1. Incremental verification at a given design level

Our algorithm works in two stages. In the first stage, we order the components so that the timing behavior of any component depends only on the components which are lower in this order. This stage assumes that



Fig. 9. Illustration of component-level reduction rule 1.



Fig. 10. Illustration of component-level reduction rule 2.

the underlying dependency-graph of components is acyclic. In the next stage, we consider components one at a time in the order computed in the previous stage. Each component is verified against its component constraints and then reduced to a simple TPN of constant size that preserves the ports and all the externally observable time-dependent properties of the component.

The following two definitions are needed for the description of our verification algorithm.

#### Definition 1

Let PORT\_IN and PORT\_OUT be the input port set and output port set of a component, respectively. A pair of ports, <port\_in, port\_out>, where  $port_in \in PORT_IN$  and  $port_out \in PORT_OUT$ , is a calling pair of the component if a reply token from the environment is expected at port\_in whenever a token is sent to some other component from port\_out.

#### Definition 2

Let PORT\_IN and PORT\_OUT be the input port set and output port set of a component, respectively. A of ports, <port\_in, port\_out>, where pair  $port_in \in PORT_IN$  and  $port_out \in PORT_OUT$ , is a passing pair if a token is expected to be sent to the environment from port\_out whenever a token from some other component is received at port\_in.

For example, in Fig. 4, <port5, port6> is a calling pair, whereas < port3, port4 > is a passing pair.

The basic idea of the algorithm is to close passing pairs by connecting them with timed transitions,



Fig. 11. Illustration of component-level reduction rule 3. The token reached port1 will either follows token flow path 1 to reach port2, or follow token flow path 2 to reach port3.



Fig. 12. Illustration of component-level reduction rule 4. The arrival of a token at port1 will result in a token reaches each of port2 and port3.

thereby replacing each component by a very simple net of constant size that preserves all external observable time-critical properties of the component being replaced. In Figs. 9-13, we introduce a set of component-level reduction rules to support such closure (The formal description of these rules is included in Appendix). The reduction rules introduced here work at a much coarser level than the reduction rules given in (Sloan and Buy, 1996), which work at individual transition level. Consequently, we need fewer applications of our rules to reduce the size of the model being analyzed. In these rules, the static firing time interval  $SI(t_{(1,2)})$  of transition  $t_{(1,2)}$  is the same as  $D_{(\text{port1, port2})}$ , the time delay interval of the message transfer between the epoch of port1 being marked and that of port2 being marked, and  $SI(t_{((1,2),3)})$  of  $t_{((1,2),3)}$  is the same as  $D_{((port1, 1, 2),3)}$ port2), port3), the time delay interval of the message transfer between the epoch of both port1 and port2 being marked and that of port3 being marked, and so on. Without the loss of generality, in our reduction rules, we assume that for any component model to be reduced, no transitions in the model are enabled in the initial state of the system. Particularly, we assume:

#### Assumption 1

#### The TPN model of the system under design is safe.

This assumption implies that the system takes the same statistical property of time to deal with inputs arriving in different time. This enables us to consider only one set of inputs to verify the system constraints. In this case, for any component to be reduced, no



Fig. 13. Illustration of component reduction rule 5.

iese fied that mal the ieen wer ated elis the we the verevel itire 1) it ight and oduor a ition oved

level

tage,

wior

ients

that

eng

ion sof ints ing

the

as ven

po-

ient



Fig. 14. (a) Reduction of component PS. (b) Reduction of component RS. (c) The simple but equivalent model of the system.

reachability analysis (Berthomieu and Diaz, 1991), we conclude

$$SI(t_{(1,2)}) = [11, 22], \text{ and}$$
  
 $SI(t_{(7,8)}) = [7, 13]$ 

So the constraint  $c_1$ : port  $1 \rightarrow AF^{\leq 25}$  port 2 is verified. Next, we consider the component CS. Figure 10(c) shows CS and its interaction with simplified PS and RS, and we use it to verify other constraints. Based on Fig. 14(c) and the fact that the switch probabilities for transition t32 and t33 are 0.9 and 0.1, respectively, we obtain

$$D_{-}(\text{port5}, \text{port6}) = SI(T_3) + SI(t_{(7,8)}) + SI(T_5)$$
  
+ [9, 17]

and

2ng

on

ong

ICY

) a

ITSL

nts

he

ne.

)se 1er

the our

hat

ınd is

n't

it.

the

or

If

the

ige

nt;

is

of

hm > 3.

on

we

ore

ıfe,

ed.

ind

we

RS

ple

#### $D_{-}(port3, port4)$

$$= 0.9 \times [SI(t_{31}) + SI(t_{34})] + 0.1 \times [SI(t_{35}) + D_{-}(port3, port4) + SI(t_{36}) + SI(t_{34})]$$
  
= [4.1, 9.1].

Based on these values, we have verified  $c_3: port5 \rightarrow AF^{\leq 20} port6$  and  $c_2: port3 \rightarrow AF^{\leq 12} port4$ . Therefore, all constraints have been verified.

## 5.2. Constraints decomposition and incremental verification across design levels

Our technique for constraint decomposition and incremental verification across design levels consists of three basic elements: (1) We automatically derive constraints for the lower-level design that is consistent with the higher-level constraints. (2) The lower-level design is verified using the technique discussed in the last section. (3) The sub-architecture is plugged into the parent-level architecture to form a more detailed architectural model.

In fact, when we refine an RAS component into a sub-architecture, the RAS model mandates that it inherit all the ports from the high-level component to ensure interface consistency. During the verification of the high-level design, we compute time delays for certain port pairs of (input port, output port). Correctness of the high-level design is contingent on the values of these time delays. So for the lower level design, we add these delays as constraints that must be satisfied. As long as these constraints are satisfied, we can ensure that the lower-level designs is consistent with the high-level design. If on all these port-pairs there are component constraints defined, then the lower-level design is just required to obey these component constraints.

Let's take the analysis of the FMS as an example. In the last subsection, we finished the verification of its high-level design. Figure 8 shows ports port3, port4, port5 and port6 are inherited from Fig. 6, the highlevel (top-level in fact) design model for CS. From the top-level RAS model we know that component CS is only subject to a component constraint  $c_2$ . Therefore,  $c_2$ : port3  $\rightarrow AF^{\leq 12}$  port4 is used as the constraint of the lower-level design.

#### 6. Conclusion

Based on the requirement of the modeling, design, and analysis of FMS, we have presented an RAS-based incremental approach to architectural modeling and verification of real-time distributed systems, and illustrated the use of the approach to incrementally model a given FMS. The contribution of this paper is twofold: First, it provides a systematic way to link real-time system constraints to the process of formal modeling and analysis to ensure that the constraints are met at any given design level. Second, our approach is scalable in both modeling and analysis. We also proposed a two dimensional incremental verification technique, which further shows the benefits of our RAS model. To enlarge the applicable area of the verification technique, we are improving it by weakening its precondition for application.

#### Appendix: Formal description of reduction rules

In this appendix we give the formal description of our component-level reduction rules for TPN's.

#### Component-Level Reduction Rule 1

Let N be the TPN model of a system, and  $N_C$  the TPN model of a component in the system.  $C \cdot PORT \_IN = \{port\}, C \cdot PORT\_OUT = \{port2\}.$ The component has no enabled transition under the initial marking of N. If

(1) whenever *port*1 receives a token, *port*2 is guaranteed to receive a token in the future, and

(2) *port*1 cannot receive another token until *port*2 has received a token,

then we can reduce N into N' by replacing  $N_C$  with a simple net which is composed of two places: *port1* and *port2*, and one transition:  $t_{(1,2)}$ , such that

(1)  $port1^* =^* port2 = \{t_{(1,2)}\}, t_{(1,2)} = \{port1\}, t_{(1,2)}^* = \{port2\}, while *port1 and port2* remain unchanged, and$ 

Wang and Deng

(2)  $SI(t_{(1,2)}) = SI_{-}(port1, port2)$ , the latter is the time delay interval for the token transfer from *port1* to *port2*. (See Fig. 9.)

#### Component-Level Reduction Rule 2

Let N be the TPN model of system S, and  $N_C$  the TPN model of component C of S. C.PORT\_IN = {port1, port2}, C.PORT\_OUT = {port3}, and port1\* = port2\*. The component has no enabled transition under the initial marking of N. If

(1) whenever both *port1* and *port2* receive a token, *port3* is guaranteed to receive a token in the future, and

(2) at least one of *port1* and *port2* cannot receive another token until *port3* has received a token,

then we can reduce N into N' by replacing  $N_C$  with a simple net which is composed of three places: *port1*, *port2* and *port3*, and one transition:  $t_{((1,2),3)}$ , such that

(1)  $port1^* = port2^* = * port3 = \{t_{((1,2),3)}\}, * t_{((1,2),3)} = \{port1, port2\}, t_{((1,2),3)}^* = \{port3\}, while * port1, * port2 and port3^* remain unchanged, and$ 

(2)  $SI(t_{((1,2),3)}) = SI_{-}((port1, port2), port3)$ , the latter is the time delay interval from two tokens arriving in *port1* and *port2*, respectively, to a token reaching *port3*. (See Fig. 10.)

#### Component-Level Reduction Rule 3:

Let N be the TPN model of a system S, and  $N_C$  the TPN model of component C of S. C.PORT\_IN = {port1}, C.PORT\_OUT = {port2, port3}. The component has no enabled transition under the initial marking of N. If

(1) whenever *port1* receives a token, one and only one of *port2* and *port3* is guaranteed to receive a token in the future, and

(2) *port1* cannot receive another token until one of *port2* and *port3* has received a token,

then we can reduce N into N' by replacing  $N_C$  with a simple net which is composed of three places: *port1*, *port2* and *port3*, and two transition:  $t_{(1,2)}$  and  $t_{(1,3)}$ , such that

(1)  $port1^* = \{t_{(1,2)}, t_{(1,3)}\}, port2 = \{t_{(1,2)}\}, port3 = \{t_{(1,3)}\}, t_{(1,2)} = t_{(1,3)} = \{port1\}, t_{(1,2)}^* = \{port2\}, t_{(1,2)}^* = \{port3\}, while *port1, port2^* and port3^* remain unchanged, and$ 

(2)  $SI(t_{(1,2)}) = SI_{-}(port1, port2)$ , and  $SI(t_{(1,3)}) = SI_{-}(port1, port3)$ . (See Fig. 11.)

Т С С nc ar fu DC th SU pe t(1  $\{t$ {*I* {Įre SI Ce Le TH  $\{p\}$ po tra tol rec an rec the sin DO. SUG

 $\{t_i\}$ 

t\* ((

po;

(pc

(

Ir.

С

L

the tl to

)eng

ГРN N =

and

bled

ken,

, and :eive

ith a *ort*1,

such

vhile d the

)kens .oken

c the IN = comnitial

l only token

me of

vith a port 1,

t(1,3),

1,2) = \* and

,3) =

Incremental modeling and verification of flexible manufacturing systems

#### Component-Level Reduction Rule 4:

Let N be the TPN model of a system S, and  $N_C$  the TPN model of component C of S. C.PORT  $IN = \{port1\},\$ 

 $C.PORT\_OUT = \{port2, port3\}$ . The component has no enabled transition under the initial marking of N. If

(1) whenever *port*1 receives a token, both of *port*2 and *port*3 are guaranteed to receive a token in the future, and

(2) *port1* cannot receive another token until both of *port2* and *port3* have received a token,

then we can reduce N into N' by replacing  $N_C$  with a simple net which is composed of four places: *port11*, *port12*, *port2* and *port3*, and two transition:  $t_{(11,2)}$  and  $t_{(12,3)}$ , such that

(1) \*port11 =\* port12 =\* port1, port11\* =  $\{t_{(11,2)}\}, port12* = \{t_{(12,3)}\}, t_{(11,2)} = \{port11\}, t_{(11,3)} = \{port12\}, t_{(11,2)}^* = \{port2\}, t_{(12,3)}^* = \{port3\}, while port2* and port3* remain unchanged, and$ 

(2)  $SI(t_{(11,2)}) = SI_{-}(port1, port2)$ , and  $SI(t_{(12,3)}) = SI_{-}(port1, port3)$ . (See Fig. 12.)

#### Component-level Reduction Rule 5:

Let *N* be the TPN model of a system *S*, and *N<sub>C</sub>* the TPN model of component *C* of *S*. *C.PORT\_JN* = {*port*1, *port*2}, *C.PORT\_OUT* = {*port*3, *port*4}, and *port*1\* = *port*2\*. The component has no enabled transition under the initial marking of *N*. If

(1) whenever both *port*1 and *port*2 receives a token, both of *port*3 and *port*4 are guaranteed to receive a token in the future, and

(2) at least one of *port1* and *port2* cannot receive another token until both of *port3* and *port4* have received a token,

then we can reduce N into N' by replacing  $N_C$  with a simple net which is composed of four places: *port1*, *port2*, *port3* and *port4*, and one transition:  $t_{((1,2),(3,4))}$ , such that

(1)  $port1^* = port2^* =^* port3 =^* port4 =$ { $t_{((1,2),(3,4))}$ }, \* $t_{((1,2),(3,4))} =$  {port1, port2} and  $t^*_{((1,2),(3,4))} =$  {port3, port4}, while \*port1, \*port2,  $port3^*$  and  $port4^*$  remain unchanged, and (2)  $SI(t_{((1,2),(3,4))} = SI_{-}((port1, port2)),$ 

(port3, port4)). (See Fig. 13.)

#### Refereces

- Baldasssri, M. and Bruno, G. (1991) Protob: An objectoriented methodology for developing discrete event dynamic systems. *Computer Language*, **16**(1), 39-63.
- Bastide, R., Blanc, C. and Palanque, P. (1993) Cooperative objects: A concurrent Petri-net based, objectedoriented language, in *Proceedings of the IEEE International Conference on System, Man and Cybernetics*, 3, 286–291.
- Battiston, E., Cindio, F. and Mauri, G. (1988) Objsa nets: A class of high-level nets having objects as domains, in Advances in Petri Nets, Lecture Notes on Computer Science, 340, 20–43.
- Berthomieu, B. and Diaz, M. (1991) Modeling and verification of time dependent systems using time Petri nets. *IEEE Transactions on Software* Engineering, 17(3), 259–273.
- Brussel, H. V., Peng, Y. and Vallckenaers, P. (1993) Modeling flexible manufacturing systems based on Petri nets. Annals of the CIRP, 42(1), 479–484.
- Bucci, G. and Vicario, E. (1995) Compositional validation of time-critical systems using communicating time Petri nets. *IEEE Transactions on Software Engineering*, 21(12), 969–992.
- Camurri, A., Franchi, P., Gandolfo, F. and Zaccaria, R. (1993) Petri net based process scheduling: a model of the control system of flexible manufacturing systems. *Journal of intelligent and Robotic Systems*, 8, 99–123.
- Deng, Y. and Yang, C. (1999) Architecture-driven modeling of real-time concurrent systems with application in FMS. Journal of Systems and Software 45, 61-78.
- Deng, Y., Wang, J. and Sinha, R. K. (1997) Integrated Architectural Modeling of Real-Time Concurrent Systems with Applications in FMS, Technical Report, School of Computer Science, Florida International University.
- D'souza, K. A. and Khator, S. K. (1994) A survey of Petri net applications in modeling controls for automated manufacturing systems. *Computers in Industry*, 24, 5–16.
- Elmaraghy, H. A. and Ravi, T. (1992) Modern tools for the design, modeling and evaluation of flexible manufacturing systems. *Robotics & Computer-Integrated Manufacturing*, 9(4), 335–340.
- Emerson, E. A., Mok, A. K., Sistla, A. P. and Srinivasian, J. (1992) Quantitative temporal reasoning. *Real-Time Systems*, 4, 331–352.
- Huang, H. P. and Chang, P. C. (1992) Specification, modeling and control of a flexible manufacturing cell. *International Journal of Production Research*, 30(11), 2515–2543.

Knapp, G. M. and Wang, H. P. (1992) Modeling

Wang and Deng

Joi

Ir

m

ar

S.

Dej

Rec

In t

mai

rest

acc

ope

to a

Key

1.

Vir

inte

sen imi onr env det of : Dis env the eac mil

\*Th Rob of tl Eng Uni<sup>•</sup> Eng beer Reg<sup>•</sup> Cen<sup>•</sup> 095

of automated storage/retrieval systems using Petri nets. *Journal of Manufacturing Systems*, **11**(1), 20–29.

- Lee, Y. and Park, S. (1993) Opnets: An object-oriented highlevel Petri net model for real-time systems. *Journal of Systems & Software*, SE-13(3), 69–86.
- Lin, J. T. and Lee, C. C. (1995) A CTPN-based scheduler for a flexible manufacturing cell. *Journal of the Chinese Institute of Engineers*, 18(5), 655–672.
- Luckham, D. C., Kenny, J. J., Augustin, L. M., Vera, J., Bryan, D. and Mann, W. (1995) Specification and analysis of system architecture using Rapide. *IEEE Transactions on Software Engineering*, 21(4), 336–355.
- Luckham, D. C., Vera, J. and Meldal, S. (1995) *Three* concepts of system architecture, Technical Report, Stanford University.
- Mandrioli, D., Morzenti, A., Pezze, M., Pietro P. S. and Silva, S. (1995) A Petri net and logic approach to the specification and verification of real time systems, in *Formal Methods for Real time Computing*, Heitmeyer, C. and Mandrioli, D. (eds.), John Wiley & Sons Ltd.
- Meng, J., Soh, Y. C. and Wang, Y. (1995) A TCPN model and deadlock avoidance for FMS jobshop scheduling and control system. *IEEE International Workshop on Emerging Technologies and Factory Automation*, Paris France, 521–532.
- Murata, T. Petri nets: Properties, analysis and applications. *Proceedings of IEEE*, 77(4).
- Pnueli, A. (1977) The temporal logic of programs. Proceedings of 18th Annual IEEE Symposium on Foundations of Computer Science, 46–57.

- Qadri, F. and Robbi, A. (1994) Timed Petri nets for flexible manufacturing cell design. *IEEE International Conference on Systems, Man and Cybernetics*, Texas, 1695–1699.
- Shukla, C. S. and Chen, F. F. (1996) The state-of-the-art in intelligent real-time FMS control: a comprehensive survey. *Journal of Intelligent Manufacturing* 7(6), 441–456.
- Sloan, R. and Buy, U. (1996) Reduction rules for time Petri nets. Acta Informatica, 33, 687–706.
- Solot, P. and Vliet, M. V. (1994) Analytical models for FMS design optimization: A survey. *International Journal of Flexible Manufacturing Systems*, 6(3), 209–233.
- Wang, L.-C. (1996) The development of an object-oriented Petri net cell control model. *International Journal on* Advanced Manufacturing Technology, 11, 59–69.
- Zhou, M. C., Dicesare, F. and Rudolph, D. L. (1992) Design and implementation of a Petri net based supervisor for a flexible manufacturing system. *Automatica*, 28(6), 1199–1208.
- Zhou, M. C., McDermott, K. and Patel, P. A. (1993) Petri net synthesis and analysis of a flexible manufacturing system cell. *IEEE Transactions on System, Man and Cybernetics*, 23(2), 523–531.
- Zhou, Q., Wang, M. and Dutta, S. P. (1995) Generation of optimal control policy for flexible manufacturing cells: a Petri net approach. *International Journal of Advanced Manufacturing technology*, **10**, 59–65.
- Zuberek, W. M. (1995) Schedules of flexible manufacturing cells and their timed colored Petri net models. *IEEE International Conference on Systems, Man and Cybernetics*, New York, 2142–2147.

PER TJ212. 16 416

# Journal of Intelligent Manufacturing

Volume 10 Number 6 December 1999 ISSN 0956-5515 CODEN JIMNEM



Kluwer Academic Publishers