Formal Framework for Discrete-Event Simulation

Formal Framework for Discrete-Event Simulation

Proceedings of the 20th World Congress Proceedings of the 20th World The International Federation of Congress Automatic Control Proceedings of the 20t...
Download PDF
417KB Sizes 0 Downloads 70 Views
Report

Proceedings of the 20th World Congress Proceedings of the 20th World The International Federation of Congress Automatic Control Proceedings of the 20th World Congress Proceedings of the 20th World The International Federation of Congress Automatic Control Toulouse, France,Federation July 9-14, 2017 The International of Automatic Control Available online at www.sciencedirect.com The International of Automatic Control Toulouse, France,Federation July 9-14, 2017 Toulouse, France, July 9-14, 2017 Toulouse, France, July 9-14, 2017

ScienceDirect

IFAC PapersOnLine 50-1 (2017) 5812–5817

Formal Framework for Discrete-Event Simulation Formal Framework for Discrete-Event Simulation Formal Framework for Discrete-Event Formal Framework for Discrete-Event Simulation Simulation Vincent Albert, Cl´ement Foucher Vincent Albert, Cl´ ement Foucher Vincent Vincent Albert, Albert, Cl´ Cl´eement ment Foucher Foucher LAAS–CNRS, Universit´e de Toulouse, CNRS, UPS, Toulouse, France LAAS–CNRS, Universit´ e de Toulouse, CNRS, UPS, Toulouse, France LAAS–CNRS, Universit´ ee de CNRS, (e-mail: {Vincent.Albert, Clement.Foucher}@laas.fr) LAAS–CNRS, Universit´ de Toulouse, Toulouse, CNRS, UPS, UPS, Toulouse, Toulouse, France France (e-mail: {Vincent.Albert, Clement.Foucher}@laas.fr) (e-mail: (e-mail: {Vincent.Albert, {Vincent.Albert, Clement.Foucher}@laas.fr) Clement.Foucher}@laas.fr)

Abstract: A formal framework for modelling and simulation of parallel systems named ProjectDEVS is Abstract: A formal framework modelling and of parallel systems ProjectDEVS is Abstract: A formal framework for modelling and simulation of named ProjectDEVS is presented. The objective of thisfor framework to simulation apply a Model-Based Systemnamed Engineering approach Abstract: A formal framework for modellingis and simulation of parallel parallel systems systems named ProjectDEVS is presented. The objective of this framework is to apply a Model-Based System Engineering approach presented. The objective of this framework is to apply a Model-Based System Engineering approach to the development of simulation products for cyber-physical embedded systems. It is intended for presented. The objective of this framework is tocyber-physical apply a Model-Based System Engineering approach to the development of simulation products for embedded systems. It is intended for to development of products for It for the design and automated deployment of virtual prototypes. embedded Models aresystems. constructed by coupling to the the development of simulation simulation products for cyber-physical cyber-physical embedded systems. It is is intended intended for the design and automated deployment virtual prototypes. Models constructed by coupling the design and automated deployment of virtual prototypes. Models are constructed by coupling concurrent components exchanging data of through ports and executed by are various simulation schemes, the design and automated deployment of virtual prototypes. Models are constructed by coupling concurrent components exchanging data through ports and executed by various simulation schemes, concurrent components exchanging through ports and executed simulation namely simulators. This paper focusesdata on the integration a Time Petri by Netvarious implementation of aschemes, parallel concurrent components exchanging data through ports of and executed by various simulation namely simulators. This paper focuses on the integration of aasimulator Time Petri Net implementation of aaschemes, parallel namely simulators. This paper focuses on the integration of Time Petri Net implementation of simulator into the framework. The semantics of the parallel is formally described using timed namely simulators. This paper The focuses on the integration of asimulator Time PetriisNet implementation of a parallel parallel simulator into the framework. semantics of the parallel formally described using timed simulator into the framework. The semantics of the parallel simulator is formally described using timed transition system to verify the correctness of the implementation. Then, a model with its simulator can be simulator system into thetoframework. The semantics of implementation. the parallel simulator isa formally described usingcan timed transition verify the correctness of the Then, model with its simulator be transition system to verify the correctness of the implementation. Then, a model with its simulator can be model checked against formal specification and be rapidly deployed on FPGA or PC via code generators. transition system to verify the correctness of the implementation. Then, a model with its simulator can be model checked against formal specification and be rapidly deployed on FPGA or PC via code generators. model checked against formal specification and be rapidly deployed on FPGA or PC via code generators. model checked against formal specification and be rapidly deployed on FPGA or PC via code generators. © 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Keywords: Discrete-event simulation, Parallel simulator, Time Petri Net, Formal methods, MBSE Keywords: Discrete-event simulation, Parallel simulator, Time Petri Net, Formal methods, MBSE Keywords: Keywords: Discrete-event Discrete-event simulation, simulation, Parallel Parallel simulator, simulator, Time Time Petri Petri Net, Net, Formal Formal methods, methods, MBSE MBSE 1. INTRODUCTION specific event occurs at a discrete point of time. We call an event 1. INTRODUCTION INTRODUCTION specific event when occursthe at aaconsidered discrete point point of time. time. We calloran an event 1. event occurs at discrete of call aspecific time event variable is We time, state 1. INTRODUCTION specific event when occursthe at aconsidered discrete point of time. We calloranaa event event a time event variable is time, state aa time event the considered variable is time, or aa state when it when is a variable of the model. Whereas discrete-time A cyber-physical system is a system composed of computing event time event when the considered variable is time, or state event when it is a variable of the model. Whereas discrete-time A cyber-physical system is a system composed of computing event when it is aaavariable of the model. Whereas discrete-time A cyber-physical system is aa system composed of computing needs special mechanism (zero-crossing functions) processes (the controller) in interaction with physical processes simulators event when it is variable of the model. Whereas discrete-time A cyber-physical system is system composed of computing simulators needs special mechanism (zero-crossing functions) processes (the controller) in interaction interaction with physical processes simulators needs aaa special mechanism (zero-crossing processes in physical handle state event for hybrid systems simulation, infunctions) discrete(the plant)(the forcontroller) control and command.with During the processes develop- to simulators needs special mechanism (zero-crossing functions) processes (the controller) in interaction with physical processes to handle state event for hybrid systems simulation, in discrete(the plant) for control and command. During the developto handle state event for hybrid systems simulation, in discrete(the plant) for control and command. During the developevent simulation, everything is time event because an event ment cycle of a controller/plant system, different simulation to handle state event for hybridissystems simulation, in an discrete(the plant) for control and command. During thesimulation develop- event simulation, everything time event because event ment cycle of a controller/plant system, different event simulation, is time an event ment cycle aa controller/plant simulation scheduled and iteverything is the time of theevent next because event that makes platforms areof used for validation system, purposes.different We believe that a is event simulation, everything is time event because an event ment cycle of controller/plant system, different simulation is scheduled and it is the time of the next event that makes platforms are used for validation purposes. We believe that a is scheduled and it is the time of the next event that makes platforms are used for validation purposes. believe that aa simulation time advance. Model-Based System Engineering (MBSE) We approach allows, is scheduled and it is the time of the next event that makes platforms are used for validation purposes. We believe that simulation time time advance. advance. Model-Based SystemofEngineering Engineering (MBSE) approach allows, Model-Based System (MBSE) for the development both embedded systemapproach and theirallows, simu- simulation simulation timewe advance. Model-Based SystemofEngineering (MBSE) approach allows, In that context develop a modelling and simulation tool of for the development both embedded system and their simufor the development of both embedded system and their simulation ensuring theirembedded reliability,system promoting design and In that context we develop a modelling and simulation tool of for theproducts, development of both and their simuIn that context we develop aa modelling simulation of parallel systems named ProDEVS basedand on the Discretetool Event lation products, ensuring their reliability, promoting design and In that context we develop modelling simulation tool of lation their promoting design and test ofproducts, candidateensuring architectures, mixing real or simulated parallel systems named ProDEVS basedand onand the Discrete Event lation products, ensuring their reliability, reliability, promoting designcomand System parallel systems named ProDEVS based on the Discrete Event Specification (DEVS) formalism its simulators. test of candidate architectures, mixing real or simulated comparallel systems named(DEVS) ProDEVS based onand the Discrete Event test of candidate architectures, mixing real or simulated components of the controller and/or plant, and of course reducing System Specification formalism its simulators. test of candidate architectures, mixing real of or course simulated com- DEVS, System formulated Specification formalism its by (DEVS) Zeigler (1976), has and an abstract syntax ponents of the the controller and/or plant, and reducing Specification formalism and its simulators. simulators. ponents of and course their development time. Aand/or MBSEplant, approach typically relies on System DEVS, formulated by (DEVS) Zeigleris(1976), (1976), has anthan abstract syntax ponents of the controller controller and/or plant, and of of course reducing reducing DEVS, formulated by Zeigler has an abstract syntax for atomic component which nothing else an interface their development time. A MBSE approach typically relies on DEVS, formulated by which Zeigleris(1976), has anthan abstract syntax their development time. A MBSE approach typically relies on model transformations and code generators. for atomic component nothing else an interface their time.and A MBSE approach typically relies on (input/output) for atomic component which is else an interface timed automata. Itnothing provides a than modular and himodeldevelopment transformations code generators. generators. for atomic component which is nothing else than an interface model transformations and code (input/output) timed automata. automata. It provides provides modular andcouhimodel transformations and code generators.is used to study the erarchical (input/output) timed It aaa modular and hiconstruction of the model with the concept of At a very early stage, virtual prototyping (input/output) timed automata. It provides modular andcouhierarchical construction of the the model model with the concept of At aa very very early early stage, virtualand prototyping iscontrol used to toalgorithms study the the pled erarchical construction of with the concept of couAt stage, virtual prototyping is used study component that connects atomic component output ports performance of the system design the erarchical construction of the model with the concept of ports couAt a very early stage, virtualand prototyping iscontrol used toalgorithms study the pled component that connects atomic component output performance of the system design the pled component that atomic component output ports performance of system and design control algorithms atomic component input ports. DEVS also defines a set of with a simulated plant. Virtual does not require nei- to pled component that connects connects atomic component output ports performance of the the system andprototype design the the control algorithms to atomic atomic component inputway ports. DEVS also defines a called set of withthe a simulated simulated plant. Virtual prototype does not require nei- operational to component input ports. DEVS also defines a set with a plant. Virtual prototype does not require neisemantics (the of executing the model), ther controller nor the plant to operate in real time. However, to atomic component inputway ports. DEVS also defines a called set of of with a simulated plant. Virtual prototype does not require nei- operational semantics (the of executing the model), ther the controller nor the plant to operate in real time. However, operational semantics (the of the model), ther the controller plant time. However, abstract simulator theway DEVS community, can becalled seen it can executednor as the a software, i.e. onin desktop operational semantics in (the way of executing executing thethat model), called ther thebe controller nor the plant to to operate operate inaa real real time.simulator, However, the the abstract simulator in the DEVS community, that can be seen it can be executed as a software, i.e. on desktop simulator, the simulator in that be it be aa software, i.e. on simulator, Model of Computation (MoC),community, see Ptolemaeus (2014) for or instantiated on a as dedicated digital processing unit as theaaabstract abstract simulator in the the DEVS DEVS community, that can can be seen seen it can can be executed executed software, i.e.hardware on aa desktop desktop simulator, as Model of Computation (MoC), see the Ptolemaeus (2014) for or instantiated on Dedicated a as dedicated digital hardware processing unit MoCs as a Model of Computation (MoC), see Ptolemaeus (2014) for instantiated on a dedicated digital hardware processing unit in Ptolemy. For instance we have following Discreteor a mix of both. digital hardware processing units a Model of Computation (MoC), see the Ptolemaeus (2014) for or instantiated on Dedicated a dedicateddigital digitalhardware hardwareprocessing processingunits unit as MoCs in Ptolemy. For instance we have following Discretea mix of both. MoCs Ptolemy. instance we the Discreteor mix of both. Dedicated digital hardware units (DE) MoCs:For Classic DEVS simulator (CDEVS) where can used accelerate various computations instead of using MoCs in in Ptolemy. For instance we have have the following following Discreteor aabe mix of to both. Dedicated digital hardware processing processing units Event Event (DE) MoCs: Classic DEVS simulator (CDEVS) where can be used to accelerate various computations instead of using Event Classic DEVS (CDEVS) where can to computations using execution is sequential (only one component is software. With the adventvarious of Field-Programmable Gateof Event (DE) (DE) MoCs: MoCs: Classic DEVS simulator simulator (CDEVS) where can be be used used to accelerate accelerate various computations instead instead ofArrays using components components execution isconservative sequential (only one one component is software. With the advent ofa Field-Programmable Field-Programmable Gate Arrays components execution is sequential (only component is software. With the advent of Gate Arrays executed at a time) and Parallel DEVS simulator (FPGAs), one can design hardware circuit and instantiate components execution is sequential (only one component is software. With the advent ofa Field-Programmable Gate Arrays executed at a time) and conservative Parallel DEVS simulator (FPGAs), one can design hardware circuit and instantiate executed at aa time) and Parallel (FPGAs), one can design aa hardware circuit and instantiate formulated byconservative Chow (1996), whereDEVS severalsimulator compoit immediately instead of going through the long process of (PDEVS), executed at time) and conservative Parallel DEVS simulator (FPGAs), one can design hardware circuit and instantiate (PDEVS), formulated bythe Chow (1996), where several compoit immediately immediately instead of of going through through the long long process of nents (PDEVS), formulated by Chow (1996), where several compoit instead the process of can be executed at same time but causality violations designing an Application-Specific Integrated Circuit (ASIC). (PDEVS), formulated bythe Chow (1996), where several compoit immediately instead of going going through the long process of nents can be executed at same time but causality violations designing an Application-Specific Integrated Circuit (ASIC). nents can be executed at the same time but causality violations designing an Circuit (ASIC). strictly Various andbut distributed Using FPGA devices, the creationIntegrated of hardware accelerators nents can beavoided. executed at the parallel same time causalitysimulation violations designing an Application-Specific Application-Specific Integrated Circuit (ASIC). are are strictly avoided. Various parallel and distributed simulation Using FPGA devices, the creation of hardware accelerators are strictly Various and distributed simulation Using FPGA devices, the creation of accelerators have implemented parallel DEVS. dedicated to a specific occasional becomes possible. researchers are strictly avoided. avoided. Various parallel parallel andsimulators distributed for simulation Using FPGA devices,or creation purpose of hardware hardware accelerators researchers have implemented parallel simulators for DEVS. dedicated to aa specific specific orthe occasional purpose becomes possible. A researchers have implemented parallel simulators for dedicated to or occasional purpose becomes possible. time warp optimistic DEVS simulator, see Jefferson et al. researchers have implemented parallel simulators for DEVS. DEVS. dedicatedevent to a specific or occasional possible. Discrete simulation is widely purpose used forbecomes the validation of (1985), A time warp optimistic DEVS simulator, see Jefferson et al. al. A time warp optimistic DEVS simulator, see Jefferson et where causality might be violated, detected and remeDiscrete event simulation is widely used for the validation of A time where warp optimistic DEVSbesimulator, Jefferson et al. Discrete event simulation is widely for the validation of parallel and distributed systems. NS3used and Omnet++, which are (1985), causality might violated, see detected and remereme(1985), where causality might be violated, detected and Discrete event simulation is widely used for the validation of died using roll-back has been implemented by Christensen parallel and and distributed systems. NS3 and and Omnet++, Omnet++,and which are (1985), where causality might violated, detected and remeparallel distributed systems. NS3 which are reference tools in the field of computer VHDL died using using roll-back has beenbe implemented by see Christensen died roll-back has implemented by Christensen parallel and distributed systems. NS3 and networks Omnet++,and which are (1990). A risk-free simulator, Ferscha reference tools in the field of computer networks VHDL died using roll-backoptimistic has been been DEVS implemented by see Christensen reference tools in the field of computer networks and VHDL simulation in the field of digital hardware processing units, use (1990). A risk-free optimistic DEVS simulator, Ferscha (1990). A risk-free optimistic DEVS simulator, see Ferscha reference tools infield the of field of computer networks and VHDL (1995), where events are assessed for risk before sending has simulation in the digital hardware processing units, use (1990). A risk-free optimistic DEVS simulator, see Ferscha simulation in the field of digital hardware processing units, use this discrete event paradigm. In the field of continuous systems (1995), where events are assessed for risk before sending has (1995), where events are assessed for risk before sending simulation inevent the field of digital hardware processing units, use been implemented by Reisinger et al. (1995). See Zeigler et al. this discrete paradigm. In the field of continuous systems (1995), where events assessed for(1995). risk before sendingethas has this discrete event paradigm. field of continuous systems simulation, there is a familyIn ofthe asynchronous (event-driven) been implemented implemented by are Reisinger et al. al. See Zeigler Zeigler al. been by Reisinger et (1995). See et this discrete event paradigm. In the field of continuous systems (2000) for pseudo-code description of these abstract simulators. simulation, there is a family of asynchronous (event-driven) been implemented by Reisinger et al. (1995). See Zeigler et al. al. simulation, there is a family of asynchronous (event-driven) numerical integrators called QSS, see Cellier et al. (2006) for (2000) for pseudo-code description of these abstract simulators. (2000) for description of abstract simulators. simulation, there is a called familyQSS, of asynchronous numerical integrators see very Cellier et (event-driven) al. (2006) (2006) for This (2000) for pseudo-code pseudo-code description ofofthese these abstract simulators. numerical integrators called QSS, see Cellier et al. for paper focuses on the integration a Time Petri Net (TPN) an overview of this method, that shows good results. Those numerical calledthat QSS, see very Cellier et results. al. (2006) for This paper focuses on the integration of a Time Petri Net (TPN) an overviewintegrators ofuse thisthe method, shows good Those This integration of Petri an of this method, that good Those of on thethe PDEVS simulator into ProDEVS. This simulators same scheme: it isvery the change of a variable This paper paper focuses focuses on the integration of aa Time Time Petri Net Net (TPN) (TPN) an overview overviewall ofuse thisthe method, that shows shows very good results. results. Those implementation implementation of the PDEVS simulator into ProDEVS. ProDEVS. This simulators all same scheme: it is the change of a variable implementation of the PDEVS simulator into This simulators all use the same scheme: it is the change of a variable work results in a formal MBSE framework we called Pro(or signal) value which triggers what we call an event. An implementation of the PDEVS simulator into ProDEVS. This simulators all use the sametriggers scheme:what it is the change ofevent. a variable work results in a formal MBSE framework we called Pro(or signal) value which we call an An work results in a formal MBSE framework we called Pro(or signal) value which triggers what we call an event. An jectDEVS which takes a ProDEVS model and its simulator, event can occur at any time. A variable is updated only when a results in atakes formal MBSE framework weitscalled Pro(or signal) valueat which triggers what iswe call anonly event. Ana work jectDEVS which a ProDEVS model and simulator, event can occur any time. A variable updated when jectDEVS which takes a ProDEVS model and its simulator, event event can can occur occur at at any any time. time. A A variable variable is is updated updated only only when when aa jectDEVS which takes a ProDEVS model and its simulator,

Copyright 5992Hosting by Elsevier Ltd. All rights reserved. 2405-8963 © © 2017 2017, IFAC IFAC (International Federation of Automatic Control) Copyright © 2017 IFAC 5992 Copyright 2017 IFAC 5992Control. Peer review© under responsibility of International Federation of Automatic Copyright © 2017 IFAC 5992 10.1016/j.ifacol.2017.08.535

Proceedings of the 20th IFAC World Congress Vincent Albert et al. / IFAC PapersOnLine 50-1 (2017) 5812–5817 Toulouse, France, July 9-14, 2017

CDEVS2TPN Model PDES2TPN Transformation Model PDEVS2TPN Transformation Model Transformation

export

GUI

repository

repository

model checked properties

reachability graph

FMU

DEVS Model

TINA Toolbox

import import

output chart

export

Model

5813

animation

Description ProDEVS

exploration

TPN Model

Controller COMM

TPN2VHDL Code Generator

FPGA

TPN2J ava Code Generator

TPN2C Code Generator

Binary file

Binary file

FMI++

ODE solver ODEINT

Fig. 1. ProjectDEVS Architecture automatically transforms them into a TPN and deploy the latter as a program, as digital hardware or as a mix of both. Petri net is very efficient to describe parallelism and concurrency (resource sharing, synchronization) between tasks or processes. The advantages of using TPN as a backbone between a ProDEVS model and the platform dependant virtual prototype are : (1) the development of new simulators are not hand coded anymore, there are specified using temporal logic and designed using TPN, without any impact on the deployment phase, (2) a model can be checked against a formal specification to some extent (formal methods are subject to combinatory explosion) and we can ensure that the virtual prototype is correct, (3) formal verification can be coupled with simulation statically or dynamically (during run-time). In the next section the architecture of the framework is detailed. Then, Section 3 defines the DEVS formalism, the principles of PDEVS simulator and the class of TPN we use. In Section 4, the rules for implementing a DEVS atomic component and a PDEVS simulator are given. Section 5 describes and illustrates the method we employ to verify the implementation and finally, perspectives and issues are given in Section 6. 2. ARCHITECTURE The architecture of the ProjectDEVS framework is illustrated on figure 1. It includes ProDEVS, the model designer of ProjectDEVS, which includes a GUI offering a block-oriented view for model design. A model is constructed with concurrent components that can be imported from ProDEVS components repository or designed from scratch using input/output timed automata that we specially profiled for DEVS formalism, see Vu et al. (2015). User can create its own repository. Basically, the repository contains components for continuous systems, such as QSS integrators, or quantizers and switches for hybrid systems. We recently integrated FMI cosimulation and model exchange features, see MODELISAR (2014) for FMI specification, such that Fonctional Mockup Units (FMU)

can also be imported in the model. We have developed a DEVS-FMI wrapper to synchronise discrete-time simulators with discrete-event simulators using FMI++. The FMI++ library is a utility package, implemented by Widl et al. (2013), that provides simulation functionalities for FMI model exchange and cosimulation specification. It includes a numerical integrator and a state record mechanism for roll-back. From a model description captured in the GUI and a given abstract simulator, a TPN model is generated. This TPN can be exported to the TINA toolbox, see Berthomieu et al. (2006), for model checking. Then, a description of the structure of the Petri Net with dedicated components to implement places and transitions, and boolean or logical equations to represent enabling and firing conditions can be generated for simulation. This generated code is associated to a Time Manager which is in charge of simulation time events synchronisation and Action Managers to handle data computation in reaction of transition firing. A simulation clock provides events to make the internal TPN state evolve. Combined with a Run Manager aware of the given TPN structure, the prototype can be interfaced to a controller for simulation controls (run, step, break) and data visualisation. Data is recorded on a value change event, and stored along with the associated simulation time. A mapping between the ProDEVS model domain and the platform dependant variables is loaded into the controller for data charts. For software deployment, we have Java and C code generators that provide binary code which is interfaced with the controller. For hardware, a VHDL code is generated in a synthesizable form which can be used on a FPGA. The component representing the model is then wrapped in a register-based structure which can be adapted to most bus interfaces. Then, the simulator is interfaced with the controller through an Ethernet network using a small program running on a processor inside the FPGA. Interfaces for buses used by Xilinx and Altera, AXI and Avalon, are generated along with the model code.

5993

Proceedings of the 20th IFAC World Congress 5814 Vincent Albert et al. / IFAC PapersOnLine 50-1 (2017) 5812–5817 Toulouse, France, July 9-14, 2017

3. DEFINITIONS

between transitions, the source transition having higher priority.

3.1 Discrete Event System Specification The following definition is taken from Zeigler et al. (2000). A DEVS atomic component is a tuple X, Y, S , δext , δint , λ, ta in which : • X = {(p, v)| p ∈ I ports, v ∈ X p }, is a set of input ports and their values, Y = {(p, v)| p ∈ Oports, v ∈ Y p }, is a set of output ports and their values, and S is a set of sequential states, • δext : Q × X → S , is the external transition function which defines how the state changes when an input event occurs: · Q = {(s, e)|s ∈ S , 0 ≤ e ≤ ta(s)} is the total state, · e is the elapsed time since the last event, • δint : S → S , is the internal transition function which defines how the state changes when a time event occurs, • λ : S → Y, is the output function which defines the output to produce at a time event, • ta : S → R+0,∞ , is the time advance function which is used to determine the lifespan of a state.

Moreover, we use various arcs implemented in TINA. The standard arc is written p → t with p ∈ P and t ∈ T gives Pre(t, p) = 1 or t → p with p ∈ P and t ∈ T gives Post(t, p) = 1. The inhibitor arc, written p  t disables t if there is at least ∗ one token in p. The reset arc written p → t removes all tokens of p when t is fired. The reset arc is non blocking for a transition t, i.e. Pre(t, p) = 0. The read arc written p  t is blocking, i.e. Pre(t, p) = 1, but does not modify the marking of p after firing of t. Definition 2. A state of a TPN is a pair s = (m, I) in which m is a marking and I is a function called the interval function. Function I : T → I + associates a temporal interval with every transition enabled at m. Definition 3. The semantics of a PrTPN P,T,Pre,Post,,m0 ,I s  is the timed transition system S , s0 ,  where:

• S is the set of states (m, I) of the PrTPN • s0 = (m0 , I0 ) is the initial state, where m0 is the initial marking and I0 is the static interval function I s restricted to the transitions enabled at m0 . • ⊆ S × T ∪ R+ × S is the state transition, defined as a follows ((s, a, s ) ∈ is written s  s ). t • we have (m, I)  (m , I  ) iff t ∈ T and: (1) m ≥ Pre(t), t is enabled at state m (2) 0 ∈ I(t), t is fireable instantly (3) (∀t ∈ T ) then (m ≥ Pre(t ) and (t  t) ⇒ 0  I(t )), there is no transition with higher priority that satisfies 1 and 2 (4) (∀k ∈ T )(m ≥ Pre(k) ⇒ I  (k) = if k  t ∧ m − Pre(t) ≥ Pre(k) then I(k) else I s (k)). After the firing of t then m = m − Pre(t) + Post(t), transitions that remain enabled (except t) preserve their interval before firing, all others transitions are associated with their static interval. θ • we have (m, I)  (m , I  ) iff θ ∈ R+ and : (5) (∀k ∈ T )(m ≥ Pre(k) ⇒ θ ≤↑ I(k)), a temporal transition θ is possible if θ is not larger than the right endpoint of any transition enabled. (6) (∀k ∈ T )(m ≥ Pre(k) ⇒ I  (k) = I(k) − θ, θ is removed from the interval of every transition enabled before firing of the timed transition.

DEVS defines an abstract syntax, whence transition functions and/or output functions may execute simple actions described by algebraic equation or complex functions with iterative loop and branch or even a FMU step. An informal specification of PDEVS abstract simulator is now given. Every component is in a state s ∈ S at a given time and must be in that state for a period e = ta(s) if no input event occurs. When the time e has elapsed without any input event has occurred for some imminent components, an internal time event occurs, whence, they simultaneously calculate y = λ(s) and when every output computation is finished, they simultaneously trigger their internal transition function δint (s). If instead, for some components, an input event x ∈ X occurs before the expiration of e, these non imminent components trigger their external transition function δext (s, e, x). Communications are asynchronous, i.e. non-blocking with the possibility of message loss. If upon receipt of a message on the input port x, a component is in a state s listening on x i.e., δext (s, e, x) ∈ δext , the message will be processed, otherwise it will be lost and ignored by the receiver. There may be multiple components which are candidates for internal time event at the same time. As a result of coupling, they may also receive input event at the same time. When ta(s) = ∞, only an input event will leave the state. When ta(s) = 0, the component is immediately imminent. 3.2 Time Petri Net The following definitions are taken from Berthomieu et al. (2007). Definition 1. A Time Petri Net with priority (PrTPN) is a tuple P, T, Pre, Post, , m0 , I s  with :

• P, T, Pre, Post, m0 is a Petri Net where P is the set of places, T is the set of transitions, m0 is the initial marking and Pre, Post : T × P → R+0,∞ are pre and post incidence matrices respectively. • I s : T → I + is the static interval function with I + the set of non empty real intervals with non negative rational endpoints. •  is the priority relation, assumed irreflexive, asymmetric and transitive. Priority are represented by oriented arcs

Every enabled transition must be fired between its associated interval. Our TPN implementation uses only punctual bounded intervals, i.e. under the form [θ; θ]. In Berthomieu et al. (2007), the authors have found a convenient abstraction of the state graph S G = (S , s0 , ) which preserves Linear Temporal Logic (LTL) model checking and marking and decides state reachability. They also cite two alternate constructions of an abstraction, for the subclass of TPNs in which all transitions have bounded static intervals, which preserves Combinatory Temporal Logic (CTL) model checking and branching. 4. PDEVS2TPN RULES A ProDEVS model is a composition of N atomic components exchanging messages. A TPNDEVS (the TPN implementation of a ProDEVS model and its simulator) is a set of N + 1 TPNs sharing common places. For every atomic component we have a TPN with one place for every input and output

5994

Proceedings of the 20th IFAC World Congress Vincent Albert et al. / IFAC PapersOnLine 50-1 (2017) 5812–5817 Toulouse, France, July 9-14, 2017

pspk,n

pck,s

pspkd,n

(a) clock management if ta(s ) = ∞ pimm

px 0

tλ,s

[0; 0]

pimm

ps

pimm

tim,s

[ta(s); ta(s)]

py

(b) output function λ(s)

pmv,n

px i

ps

px 0

*

*

*

[0; 0]

tδint ,s

pimm

*

*

pck,s

*

tδext ,s

if ta(s ) = ∞

if ta(s ) = ∞ p

pck,s

...



s

px i

px 1

...

[0; 0]

5815

pmvd,n

(c) internal transition function δint (s) = s

ps 

pck,s

(d) external transition function δext (s, e, x0 ) = s

Fig. 2. TPN blocs for atomic component immediate, pimm  tλ,s and tλ,s → py , the marking of py ∈ P denotes that a data is available in the output port y ∈ Y and tλ,s denotes the firing of the output function from s (8) for every internal transition function δint (s) ∈ δint , we have a transition tδint ,s ∈ T n such that I s(tδint ,s ) = [0; 0] and pimm → tδint ,s . The marking of p s denotes that the current state is s. For every internal transition function δint (s) = s , we have p s → tδint ,s and tδint ,s → p s , and for every input ∗ port x ∈ X, we have p x → tδint ,s . Finally, if ta(s )  ∞ we have tδint ,s → pck,s (9) for every external transition function δext (s, e, x) ∈ δext , we have a transition tδext ,s ∈ T n such that I s(tδext ,s ) = [0; 0]. For every external transition function δext (s, e, x) = s , we have p s → tδext ,s , tδext ,s → p s and p x → tδext ,s , and for every ∗ input port x ∈ X (except x), we have p x → tδext ,s . Finally, ∗ ∗ we have pimm → tδext ,s , pck,s → tδext ,s and if ta(s )  ∞ we have tδext ,s → pck,s .

port. A connection from an output port to an input port results in the fusion of the two corresponding places. Another TPN, the coordinator, is used for synchronisation and scheduling of atomic components. Atomic components and coordinator communicate via places. The figure 3 illustrates a TPNDEVS structure where an arrow represents a fusion of places. y0 A1

y0

x0 x1

y0

x0 A3

A2

(a) DEVS model Coordinator

p y0 A1

px 0 px 1

p y0

py 0 px 0 A2

A3

(b) TPNDEVS model

Fig. 3. TPNDEVS structure 4.1 TPN model of the atomic component An atomic component is given by 4 elementary blocs as shown in figure 2: local clocks management, outputs functions, internal and external transitions. For every atomic component n = X, Y, S , δext , δint , λ, ta we define a TPN Pn , T n , Pre, Post, m0 , I s  such that: (1) (2) (3) (4)

for every state s ∈ S we have a place p s ∈ Pn for every input port x ∈ X we have a place p x ∈ Pn for every output port y ∈ Y we have a place py ∈ Pn we have places p spk,n , p spkd,n , pmv,n , pmvd,n ∈ Pn which are used for communication with the coordinator (5) we have a place pimm ∈ Pn . When pimm is marked, it denotes that the component is imminent (6) for every state s ∈ S such that ta(s)  ∞ we have a place pck,s ∈ Pn and a transition tim,s ∈ T n . We have pck,s → tim,s , tim,s → pimm and I s(tim,s ) = [ta(s); ta(s)] (7) for every output function λ(s) ∈ λ we have a transition tλ,s ∈ T n such that I s(tλ,s ) = [0; 0], i.e. the firing is

Consider an atomic component n at the initial state s ∈ S , then pck,s and p s are marked. The only condition for firing tim,s is the marking of pck,s . If pck,s remains marked for time ta(s) because no external event has occurred, then tim,s is fired and pimm is marked denoting that n is imminent. An output function is then triggered by the firing of tλ,s which produces a token in py . Then, the internal transition function is triggered by firing tδint ,s . Every input port place is emptied and the component is in a new state s denoted by the marking of p s . If an input external event on port x ∈ X has occurred before ta(s) expired, denoted by the marking of the input port place p x , the external transition function is triggered by the firing of tδext ,s . Every input port place is emptied and the token in pck,s is consumed. n is now at state s denoted by the marking of p s and a new cycle starts. If n receives an input event on x, m(p x ) = 1 while n is imminent, m(pimm ) = 1, then there is a conflict between tδint ,s and tδext ,s that can be resolved by adding a priority. 4.2 TPN model of a ProDEVS model and its PDEVS simulator The semantic of a TPNDEVS model is a game, where the players are the atomic components, that takes place in two

5995

Proceedings of the 20th IFAC World Congress 5816 Vincent Albert et al. / IFAC PapersOnLine 50-1 (2017) 5812–5817 Toulouse, France, July 9-14, 2017

pimm,1

pimm,n

pspk,1

pspk,n

1........n tλ1 ,1 tλl ,1

tλl ,n

tspkpass,1 [0; 0]

tλ1 ,n tspkpass,n [0; 0]

p1immN pspkd,1

pspkd,n

*

tmv

pmv,1 tδextt ,1 tδint2 ,1

tδext1 ,1

pmv,n px1 ,n

pxi ,1

px1 ,1

mvpass,1

tδextt ,n tδint2 ,n tδext1 ,n

...

...

**[0;t 0]

pxi ,n

**

tspk

pmvd,1

tmvpass,n [0; 0] pmvd,n

Fig. 4. PDEVS coordinator stages for every simulation step. In the first stage, players can speak by triggering an output function and in the second stage they can move by triggering an internal or an external transition function. For each stage players can also pass. Each stage is modelled by a Petri Net parallel structure. For each simulation step, the players will speak in parallel, then synchronise each other, then move in parallel and finally synchronize again. A PDEVS coordinator is a PrTPN P, T, Pre, Post, , m0 , I s  such that: (1) we have a place p1immN ∈ P denoting the number of imminent components at a given simulation cycle and we have transitions t spk , tmv ∈ T denoting the time to speak or to move respectively. (2) for every atomic component n ∈ N we have: • places p spk,n , p spkd,n , pmv,n , pmvd,n ∈ P and transitions t spkpass,n , tmvpass,n ∈ T . p spk,n and pmv,n denoting that component n can move and speak respectively. p spkd,n and pmvd,n denote that n has spoken or moved respectively. t spkpass,n and tmvpass,n are fired if n pass its turn at stage speak and move respectively • pimm,n  t spkpass,n , denotes that a component can pass its turn only if it is non imminent. For every tim,s ∈ T n we have tim,s  t spkpass,n • for every tλ,s ∈ T n , we have p spk,n → tλ,s , tλ,s → p spkd,n and tλ,s → p1immN • for every tδint ∈ T n , we have pmv,n → tδint , tδint → pmvd,n , tδint  tmvpass,n . Idem for every tδext ∈ T n ∗ • for every p x ∈ P we have p x → tmvpass,n .

The graphical representation of the TPN model of a ProDEVS model and its PDEVS simulator is given on figure 4.

p1immN is used to preserve deadlock if every component is in state s with ta(s) = ∞. It denotes that at least one component among N must be imminent to continue the game. It is the only place of the all TPNDEVS which is N-bounded. All others places are 1-bounded. The initial marking gives one token in places p spk,1 , ..., p spk,n denoting to the players that they can speak. p spk,n is consumed either by the firing of an output function transition or by

t spkpass,n if pimm,n has no token. Every component can trigger an output function if it is imminent otherwise it passes. At the end of this stage, tmv is enabled. Then, the marking of pmv,1 , ..., pmv,n denotes it’s time to move. A component n can trigger an external or internal transition function or pass by the firing of tmvpass,n . Note that input port places are emptied by the firing of tmvpass,n . Indeed, it is possible that a non imminent component receives inputs while it is in a state that do not accept these inputs. When every component has moved a new cycle starts. 5. VERIFICATION Model checking consists in applying temporal logic to semantics. To reason by model checking on a ProDEVS model, the transformation must be sound. A transformation is sound if the semantics of the ProDEVS model with its simulator, called the abstract semantics, cover all possible cases of the semantics of the corresponding TPN, called the concrete semantics. Whence, a logic formula is satisfied in the concrete only if it is satisfied in the abstract. We have manually defined abstract semantics with timed transition system (S , s0 , ) as given by definition 3. The bottom graph in figure 5 shows a part of the abstract semantics for the phase speak with three imminent components in the model. Transition labels a, b and c mean that component A, B and C respectively have spoken, i.e. an output event has been computed. This graph says that, in PDEVS, if multiple components are candidate for time internal event, the outputs can be computed in parallel. Then, the abstract semantics is mapped on the concrete semantics as illustrated in figure 5. The top graph shows the part of the state graph given by TINA with a mapping to the abstract semantics. We can observe that the abstract semantics covers all the possible cases of the concrete semantics and that markings, states and traces are preserved. The figure 6 shows a part of the abstract semantics for the phase speak then move with three components A, B, C. a, b and c are like before, d (respectively e) means that component A (respectively B) has moved, i.e. an external or an internal transition has been computed. f (respectively g) means that component C has computed an internal transition (respectively an external transition). This case can happen if A, B and C

5996

Proceedings of the 20th IFAC World Congress Vincent Albert et al. / IFAC PapersOnLine 50-1 (2017) 5812–5817 Toulouse, France, July 9-14, 2017

TPN state space ti m m , s , B

ti m m , s , A

synchronisation at each level. Our transformation flattens the model so it improves the performance of the simulation by eliminating intermediate coordinators and message passing.

ti m m , s , B

tλ , s , A

tλ , s , B

tλ , s , A

ts p k

tλ , s , B

ti m m , s , A ti m m , s , B

The other source of overall performance improvement of the simulation comes from the hardware virtual prototype. Compared to software execution, there are two major differences in the run time: the hardware generation can be very long (up to quarter an hour), where the software code compilation takes only seconds. But the hardware execution time is unrivaled by software: only a few clock cycles are used to perform a full simulation step, where the software code is dependant on a sequential execution scheme which slows it down. Thus, for small models very quickly executed on software, one will have no interest in using the hardware execution. For large models and very long simulations times however, the hardware penalty coming from the circuit generation is very quickly offset by the gain in execution time.

tλ , s , A

ti m m , s , A tλ , s , B

time

ProDEVS state space b a

ts p k

b c

c

c

a

a

c

tm v

b a

b

time

Fig. 5. Abstract semantics and mapping to concrete semantics are all candidates to internal time event, and if C is in a state that listens on external transition g with an input connected to the output triggered by the output function a. There is an unresolved non-determinism in the ProDEVS model because an internal event time is equal to an input external event time which leads to consider two transitions that potentially brings the system to different states. Again, after the mapping, one can observe that the abstract semantics covers all the possible cases of the concrete semantics and that branching is preserved. ProDEVS state space a ts p k

b c

b

a

f

c

a b

b a

b

d

c tm v

e f g

f

f

d f

g

d e

ts p k

e

d e

5817

d g

e

g

d

ts p k

time

Fig. 6. Abstract semantics with conflict between internal and external events 6. CONCLUSION This paper shows the integration of a Time Petri Net implementation of a parallel simulator into a modelling and simulation tool for virtual prototype development. A designed model and its simulator are automatically transformed into a correct TPN. Model checking, to verify absence of deadlock, detect non determinism, ensure reachability or safety, can be performed onto the abstract model domain using the TINA toolbox. However, as TINA only handles integers for variable and time, the data part, i.e. the action managers of the ProDEVS model are not part of the state space if it is not finite (every variable including time advance function is a bounded integer). Moreover every time advance function must be static. The TPN model is then automatically deployed on a platform via code generators. This has at least two advantages. First, we feel more confident and comfortable in implementing simulators with TPN rather than manually code it which is error prone while TPN2Code generators are developed once for each execution platform then works for every simulator and every model. Second, in DEVS, a simulator is constructed hierarchically in order to preserve causality violation with local clock

REFERENCES B. Berthomieu, F. Vernadat. Time Petri Nets Analysis with TINA. In Proceeding of 3rd Int. Conf. on The Quantitative Evaluation of Systems (QEST), IEEE Computer Society, 2006. B. Berthomieu, F. Peres, F. Vernadat. Model-checking Bounded Prioriterized Time Petri Nets. In Proceeding of 5th Automated Technology for Verification and Analysis Symposium (ATVA), 2007. F. E. Cellier and E. Kofman. Continuous System Simulation. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006. A. Chow. Parallel DEVS: a Parallel, Hierarchical, Modular Modeling Formalism and its Distributed Simulator. SCS Transactions on Sim 13(2), 1996. E. R. Christensen. Hierarchical Optimistic Distributed Simulation:Combining DEVS and Time Warp. Doctoral Dissertation, University of Arizona, 1990. A. Ferscha. Probabilistic Adaptive Direct Optimism Control in Time Warp. In Proceedings of the 9th Workshop on Parallel and Distributed Simulation, 1995. D. Jefferson and H. Sowizral. Fast Concurrent Simulation Using the Time Warp Mechanism. In Proceedings of the SCS Distributed Simulation Conference, 1985. MODELISAR Fonctional Mockup Interface specification 2.0. https://www.fmi-standard.org/. (2014) Claudius Ptolemaeus, Editor. System Design, Modeling, and Simulation using Ptolemy II. Ptolemy.org, 2014. G. Reisinger and H. Praehofer. Object Oriented Realization of a Parallel Discrete Event Simulator. In Proceedings of the Eurosim. Congress, Vienna, Austria, 1995. L. H. Vu, D. Foures, V. Albert. ProDEVS: An Event-driven Modeling and Simulation Tool for Hybrid Systems Using State Diagrams. In Proceedings of 8th International Conference on Simulation Tools and Techniques (SIMUTOOL), Athens, Greece, pp. 29-37, 2015 E. Widl, W. M¨uller, A. Elsheikh, M. H¨ortenhuber, and P. Palensky. The FMI++ Library: A High-level Utility Package for FMI for Model Exchange. In Proceedings of the IEEE Workshop on Modeling and Simulation of Cyber-Physical Energy Systems, 2013. B. P. Zeigler Theory of Modeling and Simulation. Academic Press, 1st edition, 1976. B. P. Zeigler, H. Praehofer, and T. G. Kim. Theory of Modeling and Simulation. Academic Press, 2nd edition, 2000.

5997