Fluid Petri Nets and hybrid model-checking: a comparative case study

doi:10.1016/S0951-8320(03)00089-9

Reliability Engineering & System Safety

Volume 81, Issue 3, September 2003, Pages 239-257

https://doi.org/10.1016/S0951-8320(03)00089-9 Get rights and content

Abstract

The modeling and analysis of hybrid systems is a recent and challenging research area which is actually dominated by two main lines: a functional analysis based on the description of the system in terms of discrete state (hybrid) automata (whose goal is to ascertain conformity and reachability properties), and a stochastic analysis (whose aim is to provide performance and dependability measures).

This paper investigates a unifying view between formal methods and stochastic methods by proposing an analysis methodology of hybrid systems based on Fluid Petri Nets (FPNs). FPNs can be analyzed directly using appropriate tools. Our paper shows that the same FPN model can be fed to different functional analyzers for model checking. In order to extensively explore the capability of the technique, we have converted the original FPN into languages for discrete as well as hybrid as well as stochastic model checkers. In this way, a first comparison among the modeling power of well known tools can be carried out.

Our approach is illustrated by means of a ‘real world’ hybrid system: the temperature control system of a co-generative plant.

Introduction

This paper investigates a unifying view between formal methods and stochastic methods for hybrid systems by proposing an analysis methodology based on Fluid Petri Nets (FPNs) [1], [16], [14]. The case study, that is used to illustrate the methodology, is a discrete state controller that operates according to the variation of suitable continuous quantities (temperature, heat consumption).

Model parameters are usually affected by uncertainty. A common way to account for parameter uncertainty is to assign to the parameters a range of variation (between a minimum and a maximum value), without any specification on the actual value in a specific realization (nondeterminism). Hybrid automata [3] and model checking tools [8] operate along this line. If a weight can be assigned to the parameter uncertainty through a probability distribution, the nondeterministic model is replaced by a stochastic model: the FPN formalism [16], [11] has been proposed to include stochastic specifications. Recently, probabilistic model checkers of Markovian models have also been implemented [4], [20].

This paper intends to show that a FPN model of a hybrid system can be used as an input model both for functional analysis as well as for stochastic analysis. In particular, this paper shows that the a FPN model can be translated into a hybrid automaton model [2], [24], a discrete model [5], or, finally, a discrete/probabilistic model [20].

FPN's are an extension of Petri nets able to model systems with the coexistence of discrete and continuous state variables [1], [16], [14]. The main characteristics of FPN is that the primitives (places, transitions and arcs) are partitioned in two groups: discrete primitives that handle discrete tokens (as in standard Petri nets) and continuous (or fluid) primitives that handle continuous quantities (referred to as fluid). Hence, in a single formalism, both discrete and continuous variables can be accommodated and their mutual interaction represented.

Even if Petri nets and model checking rely on very different conceptual and methodological bases (one coming from the world of performance analysis and the other from the world of formal methods), we attempt to gain cross fertilizations from the two areas. The main goal of this paper is to investigate the possibility of defining a methodology which allows us to apply a common FPN model both for formal specification and verification via model checking and for performance analysis.

We describe our approach and show its usefulness by using a meaningful ‘real world’ application. We take the control system for the temperature of the primary and secondary circuits of the heat exchange section of the ICARO co-generative plant [4] in operation at ENEA CR Casaccia as our example. The plant is composed of two sections: the gas turbine that produces electrical power and the heat exchange section that extracts heat from the turbine gases.

The comparative analysis documented in this paper using the case study, allows us to draw some preliminary conclusions about the modeling power of the tools and techniques we utilize and their analytical tractability.

The paper is organized as follow. Section 2 describes the case study. Section 3 introduces the main elements of the FPN formalism, provides a FPN model for the case study and show some results obtained with the simulator described in Ref. [10]. Section 4 introduces the concept of hybrid automata, provides the conversion of the FPN model into a hybrid automaton and analyzes the resulting hybrid automaton by means of the tool HyTech [18]. Section 5 shows how the same FPN model can be translated into a discrete model suitable for the model checker NuSMV [23] and provides some experimental results. Section 6 translates the FPN model into a DTMC model suitable for the probabilistic model checker PRISM [22]. Section 7 concludes the paper with some preliminary considerations about the modeling and analysis features of the different tools.

Section snippets

Temperature control system

The ICARO co-generative plant comprises two sections: the electrical power generation and the heat extraction from the turbine exhaust gases. The exhaust gases can be conveyed to a re-heating chamber to heat the water of a primary circuit and then, through a heat exchanger, to heat the water of a secondary circuit that, actually, is the heating circuit of the ENEA Research Center. If the thermal energy required by the end user is higher than the thermal energy of the exhaust gases, fresh

Fluid petri nets

FPN are an extension of standard Petri Nets [21], where, beyond the places that contain a discrete number of tokens, a new kind of place is added that contains a continuous quantity (fluid). Hence, this extension is suitable for modeling and analyzing hybrid systems. Two main formalisms have been developed in the area of FPN: the Continuous or Hybrid Petri net (HPN) formalism [1], and the Fluid Stochastic Petri net (FSPN) formalism [16], [14]. A complete presentation of FPN is beyond the scope

Hybrid automata

A hybrid automaton [3] is a finite state machine whose nodes (called control modes or locations) contain real valued variables with a definition of their first derivatives and possible bounds on their values. The edges represent discrete events and are labeled with guarded assignments on the real variables.

Given a hybrid automaton and a legal formula on its variables (essentially a legal formula is a Boolean combination of linear constraints), the model checking problem asks to compute a region

Analysis of the FPN model via NuSMV

Discrete model checking is based on a finite state machine model in which the variables and their derivatives are discretized and in which the time increases with a predefined time step. The parameters and their derivatives can be assigned uncertainty ranges (e.g. a min and a max value) with nondeterministic logic. The predicates to be checked are specified using a Computational Tree Logic (CTL) or a Real Time CTL (RTCTL) [8], [9].

In order to show the generality of our approach and to give an

Probabilistic model checking

In this section, we move from a nondeterministic setting to a probabilistic one and show some typical results that can be obtained from a probabilistic model checker. In particular, rather than using a nondeterministic model for the user demand u (as we did in 4.2 From hybrid automata to HyTech, 5 Analysis of the FPN model via NuSMV) here we use a probabilistic model (as we did in Section 3.3. This allows us to exploit the statistical knowledge about the user demand dynamics. As a result the

Discussion and conclusion

Using a real world hybrid system as a case study we presented an approach to integrate FPNs and model checking via hybrid automata and discrete as well as probabilistic models. Such integration turned out to be conceptually useful but raised a series of questions and problems that we want to elucidate and discuss in the present section. The goal of this discussion is not to compare the real power of the different tools used in this study, but is limited to the experience gained within our

References (25)

G. Horton et al.
Fluid stochastic Petri nets: theory, application and solution techniques
Eur J Operat Res
(1998)
H. Alla et al.
Continuous and hybrid Petri nets
J Syst Circuits Comput
(1998)
Allam M. Sur l'analyse quantitative des réseaux de Petri hybrides: une approche baseée sur les automates hybrides....
R. Alur et al.
Automatic symbolic verification of embedded systems
IEEE Trans Software Engng
(1996)
C. Baier et al.
Model checking continuous-time Markov chains by transient analysis
A. Bobbio et al.
Petri nets with discrete phase timing: a bridge between stochastic and functional analysis
R. Bryant
Graph-based algorithms for Boolean function manipulation
IEEE Trans Comput
(1986)
G. Ciardo et al.
Discrete-event simulation of fluid stochastic Petri nets
IEEE Trans Software Engng
(1999)
E.M. Clarke et al.
Automatic verification of finite state concurrent systems using temporal logic specifications: a practical approach
ACM Trans Program Languages Syst
(1986)
E.A. Emerson et al.
Quantitative temporal reasoning
J Real Time Syst
(1992)

Gribaudo M. FSPNEdit: a fluid stochastic Petri net modeling and analysis tool. Technical report, Tools of...

Gribaudo M. Hybrid formalism for performance evaluation: theory and applications. Technical report, PhD Thesis,...

Cited by (23)

A formal method for assessing the impact of task-based erroneous human behavior on system safety
2019, Reliability Engineering and System Safety
Citation Excerpt :
Formal methods are mostly used to engineer and analyze computer hardware and software [31,38]. They have also been used to evaluate the safety and reliability of abstract representations of complex and cyberphysical systems [39–43]. Because they are adept at finding problems that arise from interactions between components in complex systems, researchers have been exploring how formal methods (and especially model checking) can be used for human interactive systems [13–15,44–47].
Erroneous human behavior is often cited as a major factor to system failure. However, the complexity of the human-automation interaction can make it difficult for engineers to anticipate how erroneous human behavior can contribute to failures. In this work, we introduce a novel method for generating human errors based on the task-based taxonomy of erroneous human behavior. This allows erroneous acts to manifest as divergences from task models. We implement our method using the Enhanced Operator Function Model. We further show how the method can be used with formal system modeling and formal verification with model checking to prove whether or not potentially unanticipated erroneous behavior could contribute to system failures. We evaluate how our method scales and use it to evaluate three case studies: a radiation therapy machine, a pain medication pump, and an Apache helicopter. We discuss these results and explore options for future work.
Nuclear safety-critical Digital Instrumentation and Control system software: Reliability demonstration
2018, Annals of Nuclear Energy
Citation Excerpt :
However, due to the complexity of software products, it is difficult to find and correct all the defects of software products through software testing hence, a great deal of software failures and defects are often found in the application process (Flowers, 1996). A great deal of methodologies have already been applied for analyzing the reliability of NPPs digital systems, such as Continuous Event Trees (CET) (Devooght and Smidts, 1992), Dynamic Event Trees (DET) (Hsueh and Mosleh, 1996; Cojazzi and Cacciabue, 1996), Dynamic Fault Trees (DFT) (Andrews and Dugan, 1999), Petri-net (Rauzy, 2002; Horváth et al., 2003), Black Box Testing (Beizer, 1995), Test Based Approaches (Li et al., 2005), etc. Almost all these methods are able to assess whether the digital system meets the regulatory requirements, that is, they are probabilistic methods for describing common faults, and can model software which combines with hardware (Aldemir et al., 1999).
A software reliability demonstration method was designed for the modeling and analysis of nuclear safety-critical Digital Instrumentation and Control (DI&C) system software. A “Reliability Demonstration of Safety-critical Software, RDSS” platform based on the Claim-Argument-Evidence (CAE) is presented to help the analysts for the analysis and evaluation of the software reliability. A novel method transformed the CAE method into Bayesian Brief Network (BBN) was proposed for the mining of the most sensitive elements (Evidence) in the DI&C system by sensitivity analysis with three reasoning methods. Moreover, this paper proposes an engineering approach for the identification of the vulnerability elements which influenced the reliability of DI&C system software life cycle.
Model-based verification method for solving the parameter uncertainty in the train control system
2016, Reliability Engineering and System Safety
Citation Excerpt :
For reliability analysis and dependability evaluation, Petri Nets (PN), Colored Petri Nets (CPN) and Stochastic Petri Nets (SPN) are proposed and applied [10–15].
This paper presents a parameter analysis method to solve the parameter uncertainty problem for hybrid system and explore the correlation of key parameters for distributed control system. For improving the reusability of control model, the proposed approach provides the support for obtaining the constraint sets of all uncertain parameters in the abstract linear hybrid automata (LHA) model when satisfying the safety requirements of the train control system. Then, in order to solve the state space explosion problem, the online verification method is proposed to monitor the operating status of high-speed trains online because of the real-time property of the train control system. Furthermore, we construct the LHA formal models of train tracking model and movement authority (MA) generation process as cases to illustrate the effectiveness and efficiency of the proposed method. In the first case, we obtain the constraint sets of uncertain parameters to avoid collision between trains. In the second case, the correlation of position report cycle and MA generation cycle is analyzed under both the normal and the abnormal condition influenced by packet-loss factor. Finally, considering stochastic characterization of time distributions and real-time feature of moving block control system, the transient probabilities of wireless communication process are obtained by stochastic time petri nets.
Integrated deterministic and probabilistic safety assessment: Concepts, challenges, research directions
2014, Nuclear Engineering and Design
Citation Excerpt :
These methods have been developed into software for nuclear application, with limitations coming from the computational burden and the processing of the large amount of data generated. As previously mentioned, there are also methods with graphical interfaces, like Petri nets (Dutuit et al., 1997; Gribaudo et al., 2006), dynamic flowgraphs (Guarro et al., 1996; Yau, 1997), dynamic fault-trees (Andrews and Dugan, 1999; Cepin and Mavko, 2001), the event-sequence diagram (ESD) approach (Swaminathan and Smidts, 1999), and the GO-FLOW methodology (Matsuoka and Kobayashi, 1988, 1991). Dynamic fault-trees make use of timed-house events or functional dependency gates to describe the time-varying dependencies between basic events, which arise from hardware coupling through system dynamics, system configuration changes (e.g., due to maintenance) or digital control.
Integrated deterministic and probabilistic safety assessment (IDPSA) is conceived as a way to analyze the evolution of accident scenarios in complex dynamic systems, like nuclear, aerospace and process ones, accounting for the mutual interactions between the failure and recovery of system components, the evolving physical processes, the control and operator actions, the software and firmware. In spite of the potential offered by IDPSA, several challenges need to be effectively addressed for its development and practical deployment. In this paper, we give an overview of these and discuss the related implications in terms of research perspectives.
A survey of dynamic methodologies for probabilistic safety assessment of nuclear power plants
2013, Annals of Nuclear Energy
Citation Excerpt :
Work is in progress to address the latter challenge (Podofillini et al., 2008; Zio and Baraldi, 2009; Mandelli et al., 2010a,b). Methods with graphical interfaces include Petri nets (Dutuit et al., 1997; Gribaudo et al., 2006), dynamic flowgraphs (Guarro et al., 1996; Yau, 1997), dynamic fault-trees (Andrews and Dugan, 1999; Cepin and Mavko, 2001), the event-sequence diagram (ESD) approach (Swaminathan and Smidts, 1999), and the GO-FLOW methodology (Matsuoka and Kobayashi, 1988, 1991). Methods with graphical interfaces are usually compatible with the ET/FT approach.
Dynamic methodologies for probabilistic safety assessment (PSA) are defined as those which use a time-dependent phenomenological model of system evolution along with its stochastic behavior to account for possible dependencies between failure events. Over the past 30 years, numerous concerns have been raised in the literature regarding the capability of the traditional static modeling approaches such as the event-tree/fault-tree methodology to adequately account for the impact of process/hardware/software/firmware/human interactions on the stochastic system behavior. A survey of the types of dynamic PSA methodologies proposed to date is presented, as well as a brief summary of an example application for the PSA modeling of a digital feedwater control system of an operating pressurized water reactor. The use of dynamic methodologies for PSA modeling of passive components and phenomenological uncertainties are also discussed.
A safety assessment methodology applied to CNS/ATM-based air traffic control system
2011, Reliability Engineering and System Safety
Citation Excerpt :
Graphical representation of FSPN elements are illustrated in Fig. 4. According to [27], it is possible to unify stochastic and formal methods using FSPN to modeling and analyzing systems with discrete and continuous parts. Considering the evolution of FSPN from elementary Petri Nets, FSPN can be used for modeling system functional properties related to their discrete states, such as conformity and reachability states.
In the last decades, the air traffic system has been changing to adapt itself to new social demands, mainly the safe growth of worldwide traffic capacity. Those changes are ruled by the Communication, Navigation, Surveillance/Air Traffic Management (CNS/ATM) paradigm , based on digital communication technologies (mainly satellites) as a way of improving communication, surveillance, navigation and air traffic management services. However, CNS/ATM poses new challenges and needs, mainly related to the safety assessment process. In face of these new challenges, and considering the main characteristics of the CNS/ATM, a methodology is proposed at this work by combining “absolute” and “relative” safety assessment methods adopted by the International Civil Aviation Organization (ICAO) in ICAO Doc.9689 [14], using Fluid Stochastic Petri Nets (FSPN) as the modeling formalism, and compares the safety metrics estimated from the simulation of both the proposed (in analysis) and the legacy system models. To demonstrate its usefulness, the proposed methodology was applied to the “Automatic Dependent Surveillance-Broadcasting” (ADS-B) based air traffic control system. As conclusions, the proposed methodology assured to assess CNS/ATM system safety properties, in which FSPN formalism provides important modeling capabilities, and discrete event simulation allowing the estimation of the desired safety metric.

View all citing articles on Scopus

^☆: This research has been partially supported by the Italian Ministry of Education under Grants FIRB-RBNE019N8N and MEFISTO.

View full text

Fluid Petri Nets and hybrid model-checking: a comparative case study☆

Abstract

Introduction

Section snippets

Temperature control system

Fluid petri nets

Hybrid automata

Analysis of the FPN model via NuSMV

Probabilistic model checking

Discussion and conclusion

Eur J Operat Res

Continuous and hybrid Petri nets

J Syst Circuits Comput

Automatic symbolic verification of embedded systems

IEEE Trans Software Engng

Model checking continuous-time Markov chains by transient analysis

Petri nets with discrete phase timing: a bridge between stochastic and functional analysis

Graph-based algorithms for Boolean function manipulation

IEEE Trans Comput

Discrete-event simulation of fluid stochastic Petri nets

IEEE Trans Software Engng

Automatic verification of finite state concurrent systems using temporal logic specifications: a practical approach

ACM Trans Program Languages Syst

Quantitative temporal reasoning

J Real Time Syst