Dual-model approach for safety-critical embedded systems

Microprocessors and Microsystems 72 (2020) 102924

Contents lists available at ScienceDirect

Microprocessors and Microsystems journal homepage: www.elsevier.com/locate/micpro

Dual-model approach for safety-critical embedded systems b Grzegorz Łabiak a,∗, Marek Wegrzyn ¸ , Alfredo Rosado-Muñoz c, Grzegorz Bazydło a a

University of Zielona Góra, Institute of Electrical Engineering, ul. Podgórna 50, 65-246 Zielona Góra, Poland Space Research Centre, Polish Academy of Sciences (CBK PAN), Space Robot Dynamics Laboratory, ul. Nowy Kisielin-A.Syrkiewicza 6, 66-002 Zielona Góra, Poland c University of Valencia, GPDS, Dept. of Electronic Engineering, ETSE-School of Engineering, Burjassot 46100, Valencia, Spain b

a r t i c l e

i n f o

Article history: Received 9 May 2018 Revised 31 March 2019 Accepted 18 October 2019 Available online 18 October 2019 Keywords: Control unit Embedded systems Safety-critical systems Dual modular redundancy (DMR) High-level modeling Petri nets UML State machines FPGA

a b s t r a c t The paper presents the design of digital controllers based on two models: the Petri net model, and the UML state machine. These two approaches differ in many aspects of design flow, such as conceptual modelling, and analysis and synthesis. Each of these approaches can be used individually to design an efficient logic controller, and such solutions are well-known, but their interoperability can contribute to a much better understanding of logic controller design and validation. This is especially important in the case of safety- or life-critical embedded systems, and apart from this, a dual-model controller design can make up redundant system increasing its reliability.

1. Introduction A high-level design of control units of embedded systems requires an abstract modelling of the behaviour of the controller independently of implementation technology. A fundamental role in modelling is played by a formalism which on the one hand should facilitate description of the main behavioural features of the complex controllers, and on the other hand the formalism should be precise enough to enable automatic and effective implementation in modern programmable devices. The qualities of the modelling formalism are the results of the nature of modeled control units and their application, whereas the implementation scheme is a consequence of the logic structure and architecture of the target device. 1.1. Logic controller as a reactive system A digital control unit, or simply logic controller, is a kind of system which belongs to a broader class of systems called reactive systems. There are the two main types of computational systems: ∗

Corresponding author. E-mail addresses: [email protected] (G. Łabiak), [email protected] (M. Wegrzyn), ¸ [email protected] (A. Rosado-Muñoz), [email protected] (G. Bazydło).

https://doi.org/10.1016/j.micpro.2019.102924 0141-9331/© 2019 Published by Elsevier B.V.

© 2019 Published by Elsevier B.V.

computer reactive systems, and transformational systems. However, the reactive systems require specially dedicated formalisms to design them, beyond the traditional methods used in the design of transformational systems. Transformational systems can be viewed as data-driven systems that work in batch mode. The system waits for the data as its inputs, then for some period of time transforms the data, and next generates results as its outputs. In the case of a deterministic algorithm, the system in fact realizes a mathematical function, and when computations are not deterministic, the system acts as a relational system. Reactive systems cannot be adequately represented by functional or relational views. This is because reactive systems, by nature, are interactive. Basically, they are continuously having to react to external/internal stimuli and, secondly, their responses to the stimuli are immediate for the observer. Examples of reactive systems are process control systems, avionic systems, operating systems, robots, chemical plants or space vehicles. Such types of behaviour cannot be described in functional or relational terms. The main role of the reactive system is to coordinate the behaviour of its environment by means of continuous interaction. This consists in telling the environment what actions are to be executed and when, e.g. what conditions are to be met for any actions to occur. Reactive systems are control or event driven. The issue of how, i.e., how to process the data, is of a functional nature and needs separate attention.

2

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

1.2. Modelling behaviour Reactive systems cannot be described according to classic declarative or imperative algorithmic paradigms. There is no one notation which would fulfil all the needs in formal description of the reactive system’s behaviour, but it seems that the best way to capture the reactive nature is by a notation which operates with the notion of a state, where the state can be understood as a set of values in the system. However, notation using only states and transitions between them, e.g. Finite State Machine (FSM), has a serious drawback, namely, typical reactive behaviour is complex and this makes its description muddled and consists of a multitude of states tangled up with arcs. Moreover, the state description very often accompanies a state explosion problem. Therefore, a good formalism requires support for concurrency – owing to this feature there is no need for setting up states for every permutation of events and the state explosion problem is sufficiently relaxed. The best example of a formalism with concurrency and historically the first are Petri nets. The concurrency in this notation enables the description of behaviour to consist in a smaller number of artefacts (e.g., places), but in the case of complex behaviour this is not enough. A hierarchy, introduced next to concurrency in David Harel’s statecharts, allows not only the modularization of behaviour but additionally the generalization of behaviour in an abstract manner. The hierarchy gives a notion of depth that allows the refinement of an abstract state into more detailed states or sequential automata in concurrency relationships, and the states of these automata can be further refined, hence leading to the creation of a hierarchy tree of states.

havioural description into HDL and in commercial CAD systems (e.g., Xilinx Vivado). Both CAD systems and transformation scheme from behavioural description must take into account the architectural details of specific programmable target devices. From the beginning of the design process the controller must be validated, that is, the designer must positively answer the question ”Am I building the right thing?”. The Answer to this question is not an easy task, because the designer must check the customer’s actual needs and this process is informal by nature. However, the validation can be partially supported by a verification process, which is formal and gives answers to the question of whether the controller is well engineered. Hence, good verification methods are very important in the design process to partially validate controller specification. 1.5. Paper structure The paper is organised as follows. The first section makes a general presentation of what the control unit is, how to specify its behaviour and how to implement the controller. Section two analyzes related work in the field of control unit design and synthesis. Section three discusses design flow, from conceptual modelling to hardware implementation with the particular role of high level description, where two graphical forms of controller behaviour, namely Petri nets and UML state machines, are detailed presentation. Section four presents an example of an industrial plant where a controller steers the industrial process, and section five provides the conclusions. 2. Related works

1.3. Context of the controller Logic controllers are basically state-based systems. This means that the controller operates on events and responds to its environment by means of events also, but in practice the objects controlled by the controller are not always only event-driven. Some applications are required to control data processing, and thus the whole control system exhibits traits of the transformational system, and its components can be presented in a functional/relational perspective. Because of the latter mentioned applications, control units of embedded systems are applied in two configurations: (1) binary controller with controlled object and (2) control unit with data path [18]. The context of the controller, i.e., its surroundings, can differ. 1.4. Design and implementation The design and a physical implementation of the logic controller proceeds from a high-level conceptual modelling [13] through Hardware Description Languages (HDLs) and Computer Aided Design (CAD) systems to hardware implementation in programmable devices. The conceptual modelling results in a formal notation which a controller under design takes on. Historically, the first applied notation in this field is Finite State Machine, graphically represented by State Transition Graph (STG). This notation is a very primitive form with many drawbacks, but it is still readily applied by practitioners. In the paper some enhanced versions of STG, namely Petri nets and UML state machines, are proposed. Next, the behaviour of the controller formally defined at the stage of conceptual modelling is transformed into HDL (e.g., VHDL or Verilog) which serves as a vehicle of communication with commercial CAD systems. The commercial CAD systems are responsible for physical implementation in particular devices, for example in Field Programmable Gate Arrays (FPGAs) or Complex Programmable logic Devices (CPLDs). Details of synthesis and implementation are contained in an algorithm transforming formal be-

The high level design process usually starts at the highest level of abstraction and comprehensively embraces all functionality of the system under design. Bailey and Martin [2] defined Electronic system level as “The use of appropriate abstractions to increase comprehension of a system and enhance the probability of successfully implementing its functionality in a cost-effective manner, while meeting necessary constraints.” This activity uses abstract notations and its main goal is to correctly understand the system and to implement it at the lowest possible cost. Kambe et al. [17] signaled that there is a lack of effective design tools that support transformation from high level design to the Register Transfer Level (RTL). This approach produces a gap between system specification, and its implementation and this gap seems to be still unbridged to this day. In contradiction to this method, in the presented paper it is proposed that a special encoding scheme be used which automatically maps functionality of the controller into state register flip-flops and their excitation functions. Posadas et al. [25] proposed their own automatic synthesis flow for complex embedded systems. The presented solution uses UML/MARTE standard and it is software centric. However, the advantages of the MARTE profile make a clear distinction between a functional and an implementational view, hence hardware components made of digital logic can easily be incorporated into this methodology. As the functional view is a domain of Platform Independent Model (PIM), the implementation details are part of Platform Specification Model (PSM) and Platform Description Model (PDM). State machine diagram and Petri net models, as graphical forms, belong to PIM, and the implementation encoding schemes, presented in the paper, belong to PSM and PDM. The Finite State Machine is a classical model of control unit [3]. Although in the basic version state machine is purely sequential, it can nevertheless also represent concurrency, for example, as Linking State Machines (LSMs) [6]. Different methods of FSMbased implementation in FPGAs are proposed by several authors

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

(e.g., [4,26]). Borecky et al. [7] present an FSM application for the design of a safety device at a railway station. Petri nets are an intuitive model for concurrent controllers [14,22,27,32]. An equivalent industrial model is the Sequential Function Chart (SFC) [11]. The Petri net is also effectively used for partial reconfigurable controllers [23,31]. Chen [10] described an application of Petri nets for nuclear system design. Statechart diagrams were invented by David Harel [16] as a visual formalism for complex reactive systems. From the beginning, their graphical appeal has attracted wide interest among scientists and practitioners, which has resulted in the incorporation of it into UML technology [29]. Nowadays, statecharts are better known by the name UML state machines and they are mainly used at the stage of conceptual modelling of both software and hardware. Logic controllers exhibit traits of reactive systems, hence UML state machines are perfectly suited to model their behaviour. While modelling the behaviour of logic controllers in UML state machines seems to be obvious, logic synthesis is on the other hand cumbersome. This is due to ambiguity of UML state machine semantics, the abundance of syntax structures and difficulties in hardware description of given semantic features, e.g., exception transition. This has given rise to various implementation conceptions. In [8] state machines are transformed into an FSM model by means of functional decomposition and implemented in memory blocks in programmable structures. Bazydło et al. [5], according to their own encoding scheme, transform state machines into Verilog and next implement them into FPGA devices. Application of UML technology in digital controller design has been presented by Łabiak et al. [20]. Boufenara et al. [9] defined a semantic framework for UML2 activity diagrams using a class of high-level zero-safe nets, called transactional Petri nets (TPNets). This approach is suitable especially for formal verification. UML state machine is a notation primarily aimed at modelling behaviour of software objects (class instances) which by nature are sequential. However, UML state machine are equipped with so called regions (graphically represented by dashed line) which allow describing concurrent processes. By this feature and the presence of, next to hierarchy, the events in the UML state machine syntax they are suitable to model behaviour of reactive systems. Moreover, it is stated in [29]: ”The state machine formalism described in this sub clause [behavioural state machine] is an object-based variant of Harel statecharts [16]”. Exactly for this reason and wide acceptance and popularity of the UML in engineering community, UML state machine notation in the specific field of application, namely, in the digital controllers design area is applied. Wi´sniewski et al. [34] reported a technique which uses a dynamic modification of a continuously working controller (without technical breaks) based on partial reconfiguration of modern FPGAs. Binary Decision Diagrams (BDDs) are a software technique which allows the efficient implementation of formal algorithms operating on Boolean expressions [21,28]. 3. Dual-model design flow A complete design flow of logic controllers should combine traditional methods of digital circuits design for programmable devices with conceptual modelling appropriate for reactive systems. From the conceptual side of the design it is proposed that specially adopted UML diagrams be used, that is UML state machine and Petri nets. From the implementation side, the commercial software sold by the vendor of the programmable devices is used. Fig. 1 presents the design flow for the controllers implemented using FPGA technology. A system composed of independently working controllers is an essential feature of an architecture of safety-critical systems [15]. Among such systems there are also recently more and more pop-

3

Fig. 1. Design flow of a controller in FPGA technology.

ular autonomous vehicles [37]. In addition, such controllers should be designed in different ways, e.g., using different specification models, and even realizing by different design teams [30]. Applying of circuit redundancy is used in the form of dual or triple modular redundant (DMR and TMR) systems [12,24]. The presented method is based on two different well-known models of controller behaviour, i.e. Petri nets and UML state machine. Although each of these approaches can be used individually, but their interoperability can contribute to a much better understanding of logic controller design and validation. In the considered approach a possible error is detected by an additional circuit. 3.1. Logic controller design Every design typically starts with vague ideas about design functionality and its structure. At this beginning stage a project manager and a customer are talking in general terms, using very imprecise vocabulary describing their concepts and ideas. Moreover, technical details cannot be known at this stage and must be gradually specified. Usually the customer is not an engineer and cannot be precise, hence some technologically and financially dependent technical details must be defined by engineers and submitted to the customer for acceptance. This feasibility study must be documented in a language which is, on the one hand, very easy for comprehension for non-engineers, and on the other hand, precise and detailed enough for engineers to realize what was ordered by the customer. A language, which has both of the two paradoxically opposing features is Unified Modeling Language [18,29,35]. UML is a technology developed by software engineers and uses a class diagram as a link between an informally specified project (in terms of UML, called a model) and programmers. In the case of hardware design and particularly in the digital logic controller case, this link can be made by UML state machine diagrams (statecharts) or Petri nets which are in fact very similar to UML activity diagrams. These two formalisms, UML state machines and Petri nets, have both an attractive graphical form

4

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

suitable for non-engineers, and are precise enough to describe unambiguously the controller’s behaviour. At this stage of design the modeled behaviour in the form of Petri nets or state machines is transformed into Hardware Description Language, e.g., VHDL [19] or Verilog [5]. This transformation is realised by means of non-commercial academic software, which takes into account the semantic rules of modelling languages and architectural features of programmable devices. Next, the project in HDL form is entered into a commercial CAD system supported by the FPGA device vendor. In the case of Xilinx devices the software is Xilinx Vivado or ISE (Integrated Synthesis Environment). The Xilinx CAD/CAE system, after compilation, works by stages of the synthesis and implementation processes which are heavily hardware technology dependent ones. The synthesis process maps design logic structures to device primitives (e.g., CLBs together with flip-flops) and the implementation process places the netlist generated at the synthesis stage onto the target device. Finally, the iMPACT program transfers a .bit file (generated at the implementation stage) into the devices installed on a printed circuit board (PCB). Parallel with the design stages, consecutive forms of the design can be verified as a regular digital circuit with the use of traditional methods such as emulation, simulation or structural analysis. Among many verification techniques, formal model-based techniques are very attractive. These techniques are based on the analysis of a mathematical model of the controller and they can be integrated into the design process at the early stage. Both for state machines, and especially for Petri nets, different mathematical models have been developed, with sophisticated formal methods using, among others, temporal logic, linear algebra or model checking techniques (e.g., [1,22]). Due to these achievements, some subtle errors such as incompleteness, ambiguities and inconsistencies in formal specification in Petri nets or state machine can be discovered long before any digital synthesis. Verifying a controller specified in two equivalent forms increases dependability in the controller and hence partially validates it. The Finite State Machine paradigm is the first, the simplest and the fundamental model for describing controllers. However, in the case of complex behaviour, this simplicity can yield very complex and unclear forms, awkward to maintain. Because of this, UML state machines and Petri nets have been developed and efficiently applied in controller design. These two models equally well support concurrency and their differences can complement each other. A system composed of independently working controllers as DMR configuration is an essential feature of an architecture of safety-critical systems [15]. In addition, such controllers should be designed in different ways, e.g., using different specification models, and even realizing by different design teams [30]. 3.2. UML state machine UML state machine primarily is a graphic notation. Fig. 2 presents a diagram which contains nearly every syntactic features assumed by the authors. The state machine diagram, generally, consists of states and transitions. A state (graphically rounded rectangle) can be simple or composite. The simple state (s3 , s4 , s5 , s6 , s7 ) is a state which cannot be decomposed into other substates, whereas the composite one (s1 , s11 , s12 , s2 ) can be. For example, the state s1 is decomposed into two concurrent states s11 and s12 (called regions) separated with a dashed line. A state can have assigned actions of three types: entry, do and exit which are broadcast depending on the phase of the state activity. An entry action is executed when the state is activated, a do action is repeatedly executed throughout the whole duration of the state activity and an exit action is broadcast when the state ceases its activity. A transition (t1 , t2 , t3 , t4 , t5 ) moves ac-

Fig. 2. State machine diagram with transition descriptions.

tivity from a source state to a target state, and in the diagram it is depicted as an arrow with a label. The transition basically cannot cross state borders. The label of a transition consists of two parts: triggering and action. The triggering part is a set of events which must be broadcast to fire a transition, and the action part is a set of events which are broadcast when a transition fires. Other syntactic features are: a default state – an arrow with a bullet, a history attribute – a letter h in a circle, an end state – a bullet in a circle (bull’s eye). The default state is a state from which the sequential automaton starts its activity. The history attribute is a memory property, which allows the resumption of activity of a sequential automaton from the most recently active state. The end state prevents a sequential automaton with an end state from breaking off its activity before the end state is reached. As far as state machine dynamics is concerned, in this work, it has been assumed that a state machine acts as a synchronous circuit, namely, changes of the state activities or the transition executions are synchronised by a clock signal. A state machine works through transition executions. Every transition in the diagram has its set of events, denoted in Fig. 2 as the trigger(t) part, which must be present for the transition to fire. Next to the triggering part a transition can have assigned to it another set of events which are broadcast when a transition fires and which are denoted as the action(t) part. The events generated through transition execution are accessible to the other parts of the diagram during the next clock signal. At the very beginning, active states are s1 and the states located in two concurrent regions: s2 , s4 and s6 . The state s1 has assigned to it a do action which causes the event e3 to be broadcast as long as the state s1 is active. This event enables the transitions t1 and t4 , since their triggering part contains the event e3 . At the next clock signal transitions t1 and t4 fire and events from their actionable parts are broadcast, namely the event e2 related to the transition t4 . The event e2 is accessible to the diagram at the next clock signal and this event is the triggering part of the transition t3 at the same time. When the transition t3 fires, activity from its

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

5

Table 1 Structure of example Petri macronet.

Fig. 3. Examples of Petri net (a) and its consecutive levels (b)...(d) of macronet graphs.

source state s2 (and from its subordinate s7 ) is moved to its target state s3 and the generated event e1 enables transition t5 . Since the state s7 is a state with a history attribute and since it loses its activity, this state remembers its activity. Firing transition t5 finishes the life cycle of this autonomous state machine.

3.3. Petri nets A Petri net is a graphical and mathematical modelling tool for describing systems being concurrent, distributed, and parallel [22]. As a graphical tool, Petri nets are used for simulation of logic controllers. As a mathematical tool, Petri nets are suitable for analysis and synthesis of concurrent controllers. A Petri net graph can be treated as a description of a concurrent state machine with two structuring features: concurrency and hierarchy. All such features are illustrated with examples of controller designs in the papers [14,32]. The Petri net graph (Fig. 3a) describes the intended behaviour of the logic controller. The control algorithm is also supplemented by the Petri-net-based, fixed parameterised descriptions of controlled units. The example is a simple academic one, but its purpose is only for illustration of some selected features of a proposed design methodology. Transitions from Petri nets are labelled by guards. For example, the guard function for transition t1 in Fig. 3a is described as a Boolean expression M, stating that this transition may fire only if the start button M is pressed. The logic controller outputs are associated with places, which depict local states

Macroplace name

Petri net (macro)places

M1 M2 M3 M4 M5

P2 and P3 P4 and P5 P6 and P7 M1 and M2 P1 and M3 and M4

of concurrent state machine. For purpose of illustration, output R will be active when place P4 is marked by a token. Petri nets are also represented by a hierarchical model. In Fig. 3 (b-d) there are introduced consecutive macromodules, called macroplaces, which instead of subnets consist of sequential or parallel places (Table 1). Although the macronet can be reduced to only one macroplace M5, nevertheless such representation is not very suitable from an engineering point of view. In several circumstances a better model is that presented in Fig. 3c, where there is the state P1 as an initial one and macroplaces M3 and M4 as a normal operation. In the other case, the macronet shown in Fig. 3b is sufficient for illustration of relations between processes described by the net, i.e., macroplace M1 is concurrent to macroplace M2, and these macroplaces are sequential to macroplace M3. Logic controllers described by Petri nets can be used as effective models for design entry. The encoded Petri net model is converted into and HDL (e.g., VHDL or Verilog) specification conserving the initial rule-based specification. It provides a path to commercial simulation and synthesis tools. In the considered design process, FPGA devices are used for final hardware implementation. For such devices the most effective method for state encoding is the one-hot approach [36], i.e., a single flip-flop for a particular state. The hierarchical state, i.e., macroplace, is modeled as an additional HDL module that is presented in Fig. 4. It shows a graph of the macroplace and its symbol with description of inputs and outputs. Finally, the controllers are implemented using standard FPGA vendor CAD/CAEs (e.g., Xilinx Vivado or Altera Quartus). 4. Case study A simple chemical plant (Fig. 5) is composed of an industrial reactor and a transportation system. A functioning is governed by a discrete controller (as an embedded system) which is an integrated part of the plant. The reactor measures out two substances (MV1 , MV2 ), mixes them together (R) and pours the product into the wagon (WC) which transports the outcome to its destination station. 4.1. Working of the chemical reactor The detailed working of the reactor is as follows. Initially, the reacting substances are kept in containers SV1 and SV2 (see Fig. 5). The empty wagon waits in its initial position on the right. After the signal x0 occurs, a technological cycle starts: valves y1 and y2 are opened and substrates are poured into scales MV1 and MV2 , while at the same time, the wagon starts moving to the left (signal y9 ). The pouring of the substrates lasts until sensors x1 and x3 in the scales indicate the exceeding of upper limits. After both sensors indicate exceeding of the upper limits, the valves y3 and y4 , and the emptying of the scales MV1 and MV2 , move simultaneously into the on state, and the main reaction process starts. The agitator A is ready to switch on (signal y7 ). After the substance in the reactor main container R is above the sensor x5 , the agitator switches to the on state. When the substance is beneath again, the agitator switches off and is ready to start again. While emptying the scales and pouring into the main container R, the wagon is

6

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

Fig. 4. Example of Petri net macromodule and its symbol.

Fig. 5. Reactor with wagon – schematic diagram.

moving to its position on the left. Next, when the scales MV1 and MV2 are emptied (which is indicated by sensors x2 and x4 ) and in the meantime the wagon has reached its left position (sensor x7 ), the main container valve y5 is opened and the container is emptied till the level of substance drops below the reading of the sensor x6 . Next, the wagon starts moving right (signal y8 ). When the wagon reaches the far right position, (sensor x9 ) wagon is emptied (valve y6 ). The end of emptying is signalled by x9 sensor, and after that, the technological cycle is finished and the whole plant is ready to start again for next processing cycle. 4.2. Conceptual modelling The presented above description of the chemical plant process cycle can be driven by the discrete controller. The controller acts as a reactive system continuously having to react to stimuli coming from the chemical plant. The inherent feature in the controlled

objects is that component elements of the object are distributed and hence act concurrently and asynchronously. Thus, the whole behaviour is complex. For these reasons, to describe effectively the behaviour of the controller, it is necessary to use a notation that employs discrete state space and concurrency, and yet allows the modularization of complex artefacts present in the controlled object behaviour. Two presented notations, namely Petri nets and UML state machines (e.g., Figs. 6 and 7), exhibit such desired traits. Further modelling, whether in Petri nets or in UML state machines, consists in expressing the behaviour of elements in terms of modelling language syntax features. Having analysed the chemical plant functions at a conceptual modelling level, i.e., at the highest level of description, one can distinguish the following elements of behaviour: the main technological process and the movement of the wagon (W). The movement of the wagon consists of two stages: a movement to the right direction to be unloaded, and a

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

7

Fig. 6. Reactor with wagon: Petri net model (a) and its macronet (b).

return empty to the left direction in order to load a new batch of the product. The initial state of the chemical plant is an empty wagon awaiting on the right side for the signal to start. When the process starts, the empty wagon goes to the left and, at the same time, in the main technological part of the process, substrates are measured out into scales (MV1 and MV2 ), which are then next dispensed into the main reactor container (R). When the scales with substrates are ready, simultaneously dispensing of agents and stirring in the main container (R) starts. In brief, after initiation of the process the whole of the behaviour can be divided into four overlapping processes: return of the wagon (1), preparation of substrates (2), dispensing of agents (3) and stirring control (4) (see Fig. 6b). These four processes (see Table 2) are the main artefacts of the modelling language and should be the central point of the behavioural model. The best way to present these four processes and their dynamic dependencies is to use a simplified Petri net obtained through structural hierarchization of places using macroplaces (see Fig. 6b). The return of the wagon (M5 ) overlaps with the finishing of the substrate preparation (M8 ), the starting of the dispensing of agents (M9 ) and the stirring control (M6 ), while the process of stirring control (M6 ) overlaps with the processes of completion of the return of the wagon (M5 ) and the dispensing of agents (M9 ).

Table 2 State machine regions and equivalent Petri net places.

1) 2) 3) 4)

Process description

State machine structures

Petri net places and macroplaces

Return of the wagon Substrates preparation Dispensing agents Stirring control

WagonReturn Preparation

p6 , p13 p2 , p4 p3 , p5 p9 , p11 p10 , p12 p7 , p8

AgentsDispensing StirringControl

→ M5 → M8 → M9 → M6

This hierarchically structured Petri net, called a macronet, is the result of an iterative application of macroplaces, according to a bottom-up modelling strategy. The other macroplaces and their equivalent places in a Petri net and the regions in a state machine are presented in Table 3.

4.3. Formal forms of the controller Table 2 informally summarizes conceptual modelling, tentatively linking elements behaviour with modelling language syntax, i.e., Petri net places (and macroplaces) and state machine regions

8

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

Fig. 7. State machine diagram of the controller for reactor with wagon.

Table 3 The other macroplaces of macronet. Petri net macroplaces

Petri net places

Process description

State machine regions (Fig. 7)

M1 M2 M3 M4

p2 , p4 p3 , p5 p9 , p11 p10 , p12

Filling scale 1 Filling scale 2 Emptying scale 1 Emptying scale 2

FMV1 FMV2 EMV1 EMV2

or composite states. This outcome forms the basis for a formal and detailed description of the logic controller under design. Figs. 6 a and 7 present two equivalent models, a Petri net and a UML state machine, which use syntax structure names contained in Table 2. In both modelling languages the central notion is that of a state, and modelling in both languages revolves around it. In a Petri net, a state is directly represented by a place. In a UML state machine, the case is slightly more complicated since the addition of hierarchy of behaviour, next to simple states, has forced the introduction of composite states and regions. OMG UML Superstructure [29] defines regions and composite states as follows: “A region

is an orthogonal part of either a composite state or a state machine” and “A composite state either contains one region or is decomposed into two or more orthogonal regions”. This means that these two syntax structures are suitable for process descriptions. Ultimately, every state machine process consists of simple states to which Petri net places can be simply assigned. 4.4. Synthesis, implementation and experimental results A digital circuit realizing function of the controller modeled by Petri net or UML state machine acts synchronously and changes its state by transition execution to the rhythm of the clock signal. Common feature of the Petri net and UML state machine synthesis strategy is that every state/place is assigned one flip-flop and the excitation function is built on the basis of the transition firing rules and topology of the diagram. Additionally, UML state machine is equipped with the event broadcast mechanism, which means that events can be related with transition execution, when the state gets activity (keyword entry), looses activity (keyword exit) or during its whole activity (keyword do). The information of the events generated during current tick of the clock must be sustained to the

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

9

Table 4 Implementation results. Model Factor #IOBs+BUFG #FFs #LUTs #Slices

Petri net

Statechart

22 16 20 5

22 22 41 14

next tick of the clock and for this for every place in the diagram where the events are generated must be added one flip-flop. Detailed rules of the flip-flops excitations go beyond scope of this paper. But as far as the end state is concerned, also every end state is assigned one flip-flop and a signal coming out with this flipflop is used by the excitation function of the other state flip-flops. As long as the end state is inactive, the transition of a higher hierarchy level cannot interrupt sequential automaton with the end state. The exception transition, typical for UML state machines (it preempt activity from a subordinated diagram), makes it possible for control to be taken from a given subdiagram by one event. This element is an example of behavioural hierarchy, unavailable in Petri nets where at best structural hierarchy is present, that is, places which can be grouped into macroplaces. These substantial differences are reflected in synthesis schemes and affect consumption of hardware resources in programmable devices. Table 4 presents implementation results of both controllers. Implementation has been carried out in a Virtex-5 Xilinx FPGA device (XC5VLX50T-FF1136-1) [36]. The hardware resources consumption confirms that UML state machine implementation uses more resources, both flip-flops and logic (LUTs and Slices), than Petri net implementation. However, the difference is slight, especially taking into account the number of all resources available in the device hardware. In the case of UML state machine synthesis, description in HDL language (VHDL or Verilog) conveys a behavioural hierarchy (Fig. 8). Here, the rule is as follows: one sequential automaton of state machine corresponds to one HDL module which is composed of its entity and architecture. A big advantage of the HDL model of logic controller prepared in this way is that the model can be easily subjected to partial reconfiguration [20,33]. 4.5. Discussion One can say, although this is not always the rule, that UML state machine better supports top-down strategy modelling, while Petri nets are well suited for bottom-up modelling. At conceptual modelling stage, top-down strategy gives more opportunities, because the designer can abstract. Regions and composite states allow a black-box type abstraction, this means that complex behaviours can be closed in composite states as in a black-box. On the other hand, proceeding which starts from the details, despite it might seem more difficult, makes that complex relations in Petri nets can be better expressed. For example, three processes from Fig. 6 and Table 2, return of the wagon (1), dispensing agents (3) and stirring control (4) are overlapping and require special attention to properly synchronize them. While the wagon is returning, the processes of dispensing agents (3) and stirring control (4) start at the same time. Next, after the wagon movement (1) and agent dispensing (3) are stopped by the joining transition t10 , emptying the reactor starts and stirring control (4) is still working what is synchronized by the transition t11 . Emptying and stirring last till the main container R is empty (!x6 , i.e., negation of x6 ). These processes, because of their overlapping nature, cannot be presented in a purely

Fig. 8. Structure of VHDL files: (a) component HDL module, (b) module hierarchy.

modular way. In UML state machine (Fig. 7) description their behaviourally equivalent transitions (also called t10 and t11 ), cannot synchronize equally natty the three equivalent processes (WagonReturn, AgentDispensing, StirringControl). To synchronize return of the wagon (1) and dispensing agents (3), a special synchronization variable (z1 ) and an end state machanism are needed. The variable z1 is set in the state WagonWaiting (the keyword do in the state) and red in transition t10 from the state EmptyingScales to the state EmptyingReactor. Transition t10 is guarded with this variable and this prevents emptying reactor before wagon is come back, what makes that the role of the transition t10 from UML state machine is the same as is t10 in the Petri net. The end state mechanism makes that sequential automaton must reach this state before higher lever transition, e.g., t11, can interrupt its behaviour. In the Petri net diagram (Fig. 6), these processes are synchronised by a graphical element (a bar) of the transitions t10 and t11 . In this case, a flat Petri net diagram better conveys inter-process dependencies than hierarchical UML state machine. However, both points of view are equally important, because both perspectives comprehensively, from opposing positions, encompass modelled behaviour. Additionally, if both models behave in the same way, the resulting controller is more reliable.

5. Conclusion In the paper the design method of discrete controllers has been presented. The process is based on the interoperability between two perspectives: Petri nets approach (bottom-up strategy) and UML state machine approach (top-down strategy). The former concentrates on the details (such as synchronization of overlapping three processes in the paper example). The latter focuses on general (or abstract) view of the behaviour, which on the conceptual modelling can cause better understanding of complex behaviour. Both points of view are equally important, because both perspectives together comprehensively, but from opposing positions, en-

10

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924

compass modelled behaviour. Moreover, if both models behave in the same way, the resulting controller is more reliable. Comparing the two presented behaviourally equivalent models, one can say that UML state machine is natively more modular, that is, its hierarchical elements such as composite states and regions are self-contained. Due to this fact, in general, complex behaviour can be easily presented in an abstract way, leaving irrelevant details aside. On the other hand, Petri nets primarily are “flat”, so in making behaviour description a designer is acting usually on the level of the tiniest details. Only when a complete model is ready, there can be applied some elements of modularity, and hence hierarchy in the form of macroplaces. Modularity and hierarchy in Petri nets are derivative in nature. Having a controller behaviour in two forms, Petri net and state machine, not only supports conceptual modelling, but also strongly contributes to validation of the controller, which is especially important in the case of designing safety- or life-critical embedded systems. Moreover, the controller designed in two different forms, generally, with one as a DMR system, can lead to an increase in overall reliability of the device under design. Declaration of Competing Interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. Acknowledgements The presented solutions have been partially supported by Hertz Systems (Zielona Góra, Poland, www.hertzsystems.com), and verified in civil, military and space projects. References [1] C. Baier, J.-P. Katoen, Principles of Model Checking, The MIT Press, 2008. [2] B. Bailey, G. Martin, ESL Models and Their Application: Electronic System Level Design and Verification in Practice, 1st, Springer Publishing Company, Inc., 2009. [3] S. Baranov, Logic Synthesis for Control Automata, Kluwer Academic Publishers, Dordrecht, 1994. [4] A. Barkalov, M. Wegrzyn, ¸ R. Wi´sniewski, Partial reconfiguration of compositional microprogram control units implemented on FPGAs, in: Proceedings of the IFAC Workshop on Programmable Devices and Embedded Systems, PDeS 2006, Brno, Czech Republic, 2006, pp. 116–119. [5] G. Bazydło, M.Adamski, M.Wegrzyn, ¸ A.Rosado-Muñoz, From UML state machine diagram into FPGA implementation, Adv. Electric. Electron. Eng. 12 (5) (2014) 452–458. [6] H. Belhadj, L. Gerbaux, M. Bertrand, G. Saucier, Specification and synthesis of communicating finite state machines, in: G. Saucier, J. Trilhe (Eds.), Synthesis for Control Dominated Circuits, Selected papers from the IFIP WG10.2/WG10.5 Workshops, Grenoble, France, April and September, 1992, IFIP Transactions, A-22, North-Holland, 1992, pp. 91–102. [7] J. Borecky, P. Kubalik, H. Kubatova, Reliable railway station system based on regular structure implemented in FPGA, in: Proceedings of the 12th Euromicro Conference on Digital System Design, Architectures, Methods and Tools, DSD ’09, Patras, Greece, 2009, pp. 348–354, doi:10.1109/DSD.2009.210. [8] G. Borowik, G. Łabiak, A. Bukowiec, FSM-based logic controller synthesis in programmable devices with embedded memory blocks, in: R. Klempous, J. Nikodem (Eds.), Innovative Technologies in Management and Science, Springer International Publishing Switzerland, Cham Heidelberg, 2015, pp. 123–151. [9] S. Boufenara, K. Barkaoui, F. Belala, H. Boucheneb, Transactional petri nets: a semantic framework for UML2 activities, Int. J. Crit. Comput.-Based Syst. (IJCCBS) 5 (3/4) (2014) 241–267, doi:10.1504/IJCCBS.2014.064663. [10] C.-K. Chen, A petri net design of FPGA-based controller for a class of nuclear IC systems, Nucl. Eng. Des. 241 (7) (2011) 2597–2603. [11] R. David, H. Alla, Petri Nets and Grafcet: Tools for Modelling Discrete Event Systems, Prentice Hall, 1992. [12] A.H. El-Maleh, Finite state machine-based fault tolerance technique with enhanced area and power of synthesised sequential circuits, IET Comput. Digital Tech. 11 (4) (2017) 159–164, doi:10.1049/iet-cdt.2016.0085.

[13] D.W. Embley, B. Thalheim, Handbook of Conceptual Modeling: Theory, Practice, and Research Challenges, 1st, Springer Publishing Company, Incorporated, 2011. [14] L. Gomes, A. Costa, J. Barros, P. Lima, From Petri net models to VHDL implementation of digital controllers, in: Proceedings of the 33rd Annual Conference of the IEEE Industrial Electronics Society, IECON 2007, Taipei, Taiwan, 2007, pp. 94–99. [15] W.A. Halang, M. Colnaric, On safety-critical computer control systems, in: 10th IEEE Symposium on Computer-Based Medical Systems, CBMS ’97, Maribor, Slovenia, 1997, pp. 210–214, doi:10.1109/CBMS.1997.596436. [16] D. Harel, Statecharts: a visual formalism for complex systems, Sci. Comput. Program. 8 (1987) 231–274. [17] T. Kambe, A. Yamada, M. Yamaguchi, Trend of system level design and an approach to c-based design, Microelectron. J. 33 (11) (2002) 875–880. Doi: 1016/S0026-2692(02)00068-X. [18] G. Łabiak, Conception of partial specification of logic controller deterministic state machine, Measurement Automation Monitoring 58 (1) (2012) 76–79. [19] G. Łabiak, G. Borowik, Statechart-based controllers synthesis in FPGA structures with embedded array blocks, Int. J. Electron.Telecommun. 56 (1) (2010) 13–24. [20] G. Łabiak, M. Wegrzyn, ¸ A. Rosado-Muñoz, Statechart-based design controllers for FPGA partial reconfiguration, in: Photonics Applications in Astronomy, Communications, Industry and High-Energy Physics Experiments 2015: XXXVI-th IEEE-SPIE Joint Symposium, Proceedings of SPIE, 9662, Bellingham, SPIE, 2015, pp. 96623–96634. [21] C. Meinel, T. Theobald, Algorithms and Data Structures in VLSI Design: OBDD – Foundations and Applications, Springer, 1998. [22] T. Murata, Petri nets: properties, analysis and applications, Proc. IEEE 77 (4) (1989) 541–580. [23] P. Nascimento, P. Maciel, M. Lima, R. Sant’ana, A. Filho, A partial reconfigurable architecture for controllers based on Petri nets, in: 17th Symposium on Integrated Circuits and Systems Design, SBCCI 2004, Pernambuco, Brazil, 2004, pp. 16–21, doi:10.1109/SBCCI.2004.240918. ´ G. Schoof, Z. Stamenkovic, ´ Fault-tolerant tmr and dmr circuits with [24] V. Petrovic, latchup protection switches, Microelectron. Reliab. 54 (8) (2014) 1613–1626. [25] H. Posadas, P. Peñil, A. Nicolás, E. Villar, Automatic synthesis of embedded SW for evaluating physical implementation alternatives from UML/MARTE models supporting memory space separation, Microelectron. J. 45 (10) (2014) 1281–1291. DCIS’12 Special Issue. [26] M. Rawski, H. Selvaraj, T. Łuba, An application of functional decomposition in ROM-based FSM implementation in FPGA devices, J. Syst. Architect. 51 (2005) 424–434. [27] J.S. Sagoo, Formal approach for the safety assessment of embedded controller based on programmable electronic hardware, Microprocess. Microsyst. 39 (7) (2015) 435–443. [28] F. Somenzi, CUDD: CU Decision Diagram Package. Release 3.0.0, 2015, [29] UML, OMG Unified Modeling Language, Superstructure. Version 2.4.1, Needham, U.S.A., 2011. [30] M. Wegrzyn, ¸ Implementation of safety critical logic controller by means of FPGA, Ann. Rev. Control 27 (2003) 55–61. [31] M. Wegrzyn, ¸ Petri net decomposition approach for partial reconfiguration of logic controllers, in: Proceedings of the 3rd IFAC Workshop on Discrete-Event System Design, DESDes 2006, Rydzyna, Poland, 2006, pp. 323–328. [32] M. Wegrzyn, ¸ M. Adamski, Hierarchical approach for design of application specific logic controller, in: Proceedings of IEEE International Symposium on Industrial Electronics ISIE 1999, Volume 3, Bled, Slovenia, 1999, pp. 1389–1394. [33] R. Wi´sniewski, Prototyping of Concurrent Control Systems Implemented in FPGA Devices, Springer International Publishing, Berlin - Heidelberg, 2017. [34] R. Wi´sniewski, G. Bazydło, L. Gomes, A. Costa, Dynamic partial reconfiguration of concurrent control systems implemented in FPGA devices, IEEE Trans. Ind. Inf. 13 (4) (2017) 1734–1741, doi:10.1109/TII.2017.2702564. [35] S. Wood, D. Akehurst, O. Uzenkov, W. Howells, K. McDonald-Maier, A modeldriven development approach to mapping UML state diagrams to synthesizable VHDL, IEEE Trans. Comput. 57 (10) (2008) 1357–1371, doi:10.1109/TC.2008.123. [36] Xilinx, Virtex-5 FPGA User Guide, San Jose, U.S.A., 5.4 edition, 2012. [37] S. Zereen, S. Lal, M.A. Khalid, S. Chowdhury, An FPGA-based controller for a 77 GHz MEMS tri-mode automotive radar, Microprocess. Microsyst. 58 (2018) 34–40. Grzegorz Łabiak received his M. Sc. Degree in Computer Science from the University of Zielona Góra in 1995 and Ph.D degree in Computer Science from Warsaw University of Technology in 2004. Since 2004, he has been an assistant professor, now at the Institute of Electrical Engineering, in the Faculty of Computer Science, Electrical Engineering and Automatics at the University of Zielona Góra (Poland). His current research interests include controllers modelling (especially UML), synthesis and verification of digital systems especially with the use of formal methods.

G. Łabiak, M. Wegrzyn ¸ and A. Rosado-Muñoz et al. / Microprocessors and Microsystems 72 (2020) 102924 Marek Wegrzyn ¸ received the M.Sc. in Electrical Engineering degree from the Technical University of Zielona Gora, Poland, in 1991, and Ph.D. in Computer Engineering from Warsaw University of Technology, Poland, in 1999. Since 1991 he was a lecturer of digital systems at the Technical University of Zielona Góra. In 1999–2016, Dr. Wegrzyn was an assistant professor, and a Head of Computer Engineering Division at University of Zielona Gora. In 2015– 2018, he was an assistant professor, at Jacob of Paradise University (Gorzów Wielkopolski). Since 2018 he has been a senior expert of system design at Hertz Systems Ltd. (Zielona Góra), and since 2019 he has been an assistant professor at Space Research Center of PAS (branch Zielona Góra). His research interests focus on Petri Nets, HDLs, concurrent controller designs, safety-critical systems, and cryptography. Recent work includes design of dedicated FPGA-based digital systems, tools for the automatic synthesis of programmable logic, and cryptographic systems using OTP mechanism. He is a member of several international and national societies, including PTI, POLSPAR, IEEE, and IFAC. Alfredo Rosado-Muñoz obtained his PhD in 2000. He is a Professor at the School of Engineering, Dpt. Electronic Engineering, University of Valencia (SPAIN). He is a member of IFAC (International Federation of Automatic Control). His research is related to digital computer architectures for efficient data processing and computing. Currently, his main work is related to artificial intelligence algorithm implementation, especially neural networks in different types: Feed Forward, Spiking, Convolutional, Deep Neural Networks, etc. His research is oriented to biomedical and industrial applications, including their control systems.

11

Grzegorz Bazydło obtained his M.Sc. degree and Ph.D. degree in Computer Science from the University of Zielona Góra in 2003 and 2010, respectively. Since 2012, he has been an assistant professor, now at the Institute of Electrical Engineering, in the Faculty of Computer Science, Electrical Engineering and Automatics at the University of Zielona Góra (Poland). His current research interests include graphical methods (especially UML) in design, synthesis and verification of embedded systems implemented in FPGA devices.