- Email: [email protected]
Modelling Time Critical Communication Networks with Stochastic Timed Petri Nets
MODELLING TIME CRITICAL COMMUNICATION NETWORKS WITH STOCHASTIC TIMED PETRI NETS
G. Juanoie, Y. Atamna and N. Berge LAAS/CNRS 7, avenue de Colonel Roche F-31077 Toulouse Cedex France
J.M Farines Departamento de Engenharia Eletrica Universidade Federal de Santa Catarilla 88049 Florianopolis se
A bstract . The goal of this paper is to show that the Stochastic Timed Petri Nets are a good model for the formal sp~cification of. ti me critical communication networks (commumcatlOn networks are be.c oml/lg an essential component for the production automation systems) .. The Stochastlc Tllned Petri Nets. allow, in p,!,rticular, to model parallelism, synchromsatlon by message exchange and by time constralllts (this last point is essential in a real time context) . The example of.a field bus network (the system FIP, french proposal for a standard) IS cons~dered : the dat.a IlIIk prot.ocol for the periodic traffic and different services provided by the bnk layer are modelled and analysed. Keywords . Distributed data bases; computer communications; protocols ; time domain analysis; Stochastic Timed Petri Nets; probabilities .
INTRODUCTION • The communication Networks allow to achieve the required level of intep;ration and coordination in the Produclion Automation . A hierarchy of COllllllunicalion Nf'tworks (Messina. 1990) is defined Plant. N!>tworks. Control Networks. fieldbuses . • A field bus is a low Ipv('1 indllslri"llocal Network for process control i.e which connect.s sensors. actuators and automatic controllers The exchangt>s on a fieldhus mainly ;'Ire : 111 formations from the sensors 10 the controllers ; commands from the controllers to tllP actuators ; informations between controllf'rs . • Important requirements of a fil'ldbus are Time Requirements which . it is essential. must bl' vl"nfil'd before impll'ml'lltlllp; t a formal J1lodel. which can express t IlIle constraints. is then necessary) . • This paper concl'rlls tlw st IIdv of tllf' field bus FlP (french proposal f;r a slalldard) by using th e Stochast ic Timrd Pf't ri Net (STPN) J1lodel (.Iuanole . HOllx . 1989: Juanole. Atamna. 19~1) • In a fi rst part. we present. the FI P syst t'lll and the cOllllllunication activitv which is consid ered . In a second part . we ;lIodt>l and analyse this cOllllllunication activity .
FIP SYSTEM General View The svst.em FI P consists of a communication bus with ~tations relative to the different equipments (controllers - sensors - actuators) and a station called " Bus Arbiter" which controls the exchanges of frames on the bus (centralized control). The FI P communication architecture is a three layer architecture the upper layer (called application layer) provides, to the user processes of I he command svstem. the services of having access 10 variahlf's (~i PS services) and messages (MMS services) (Fipa. 1988) ; the data link layer (Fipb, 1988) provides. to the application layer, the service of I ransff'fring variables and messages; the physical layer provides. to the data link layer. the serial bit transfer service . The variables of the MPS service constitute a data hase for the different equipments (distributed data ha..c;e ) : each variable has one producer equipIIH'nt and one (or several) consumer equipment(s) . Two statll~ are a..r;.c;ociated to the values of the variahll's (Reisip; . 1985) : a refreshment status and a promptness status . The refreshment is an in~or mation which is elaborated in the Producer Imk laYf'r (its goal is to inform the user. consumer t.hat t lie variable ha..'> been produced dUClng a good time illterval. i.e the prociuction is not "too old") . The prolllptlH'SS is an information which is elahorated in the consllmer link layer (its goal is to infor~ the IISf!( consumer that the variable has been received durillp; a good time interval, i.e the reception is 1I0t "too old").
143
An important modability of the system FIP is the periodic updating of the distributed data base (the updating period depends on the time constraints of the distributed application) . This updating is got through the buffer writing, buffer reading and buffer transfer services provided by the link layer to the application layer. Each variable has an IDentifier (ID). The buffer writing (reading) service allows the writing (reading), by the application layer of a producer (consumer) site, of the value of a variable ID in a buffer of the link layer. The buffer transfer service allows the link layer to indicate, to the application layer of a Producer site and a Consumer site, respectively the sending and the reception of a variable ID . The link layer realizes a communication protocol in order to provide the buffer transfer service: we call this service and this protocol the Buffer transfer service - protocol pair. In this paper, we only consider the analysis of the buffer transfer service - protocol pair and the buffer writting service.
• in the producer site : the link layer transmits an indication to the application layer (L-SenLlndication) after the sending cf the frame RPJJAT, • in the consumer site : the link layer transmits an indication to the application layer (L..&ceived_I ndication) after the reception of the frame RP JJAT.
Time constraints In order to analyse the hardest constraints (from the view of multiplexing data in the bus), we suppose that during each period T'O, the same producer and the same consumer are involved. We distinguish two working conditions : normal conditions (i.e the system works perfectly) and abnormal conditions (i .e we can have losses of ID_DAT and/or RPJJAT). Normal conditions The constraint concerns the relation Producer Arbiter i.e the producer must be ready for considering the next I D_DAT
Buffer Transfer Service - Protocol Pair Architect ure
1"0>- TRET + 2r(A - P)
The fieldbus Fip is represented on the Fig 1 (one producer and one consumer are only represented) . The arbiter, which has the global view of the system (list of all the variables ID), broadcasts periodically (the period is T'O) a frame called I DJJAT including a variable ID ; then the arbiter is waiting for a frame, called RP JJAT (sent by the producer of the variable ID), before broadcasting another frame I D_DAT including another variable ID . In this way, the arbiter can see the good behaviour of the system. After the reception of a frame I D_DAT :
r(A - P) means propagation time between the Arbiter and the producer. Abormal conditions • At the Arbiter : the Arbiter must detect the loss of I D_DAT or RP JJAT in order to be ready for sending the next I DJJAT
TO>- TRET + 2r(A - P) furthermore we must have: T'O
• The station which recognizes itself as the producer of the variable ID, must turn round its modem (time TRET) and the frame RP JJAT is then sent.
~
TO
• At the Consumer: the Consumer must detect the loss of RP ...DAT in order to be ready for considering the next I DJJAT
Tl >- TRET+r(A-P)+r(P-C)-r(A-C)
• Each station which recognizes itself as a consumer of the variable included in the frame I D_DAT. is waiting for the reception of the frame RP_DAT .
• Note that the constraints between the different Timers depend on the relative position of the Arbiter. the Producer and the Consumer on the bus. Here. for our study, we consider positions like in the Fig 1.
Two Timers TO and Tl detect bad behaviours of the system :
Buffer Writting Service Architect ure
• the timer TO allows the Bus Arbiter to detect the loss of an I D_DAT or an RP JJAT frame ; when the timer is out. the Bus Arbiter goes in a state where it is readv to send a new frame I D_DAT.
This services IS represented on the Fig 3. The writting buffer service has two phases : the application layer writes a variable in a link layer buffer (LPut .Request) ; the link layer confirms this writting (LPut.Confirm) .
• the timer Tl allows a consumer station to detect the no-arrival of the frame RP ...DAT expected after the reception of a frame I D_DAT ; then the consumer goes in a state where it is ready to receive a new frame ID_DAT .
Refreshment status This status . which is elaborated by using a timer, can have. in particular, the attribute "asynchronous~ or ~synchronous" according as it is not controlled (or it is controlled) by synchronisation vartables . There we only consider the asynchronous case. The temporal diagram of this status is represented on the Fig 4 : as soon as a
The coupling between the protocol and the servIce. for the buffer transfer . in the producer and consumer sites is shown on the Fig 2 :
144
represent (T'O . TO, TRET, Tl) . Concerning the transmission medium: the Arbiter - Producer medium is an half duplex FIFO carrying to types of messages (l D_DAT and RP -DAT) and where a collision can occur (transition t e ) ; the Producer - Consumer medium is a simplex FIFO carrying two types of messages (ID_DAT and RP_DAT) .
produced variable is written in the buffer. the refreshment timer is initialized (if it is out) or re initialized (if it is on) ; the status is true as long as the timer is on and becomes false at the time - out (the time - out occurs when the periodicity of the production and j or the writting fails) .
Time constraints
Time specification
The refreshment Timer value (RT) specifies the maximum time interval between two writting. Then we have the following constraint : Time between two writtings ~ RT.
We consider the following specifications :
=
=
- T'O TO : /(x) 0.5 for 16 < x < 18 - TRET-: f(i) = 0.5 for 9 ~ r ~ 11 - Tl : /(x) 0.5 for 10 ~ x ~ 12 -t6andt7 : /(x) 6(x-l) - tlO and tll : /(x) = 6(x - 3) - all the other transitions are immediate transitions : 6( x).
=
MODELLING WITH STOCHASTIC TIMED PETRI NETS (STPN) STPN Background A full presentation of the Stochastic Timed Petri Nets can be found in (Juanole, Roux. 1989; Juanole. Atamna, 1991) . They are an extension of the elementary Petri Nets (Reisig, 1985) where we associate to each transition a firing time interval and a density probability density function on the firing time interval. Arbitrary density probability functions are considered (Juanole. Atamna. 1991) : uniform , discrete , mixed (uniformed and discrete) , exponential. This model expresses the parallelism. the synchronisation by message exchange and by time constraints and allows both a qualitative analysis (functional correctness) and a quantitative analysis (performance). The analysis is based on a randomized state graph . the transitions of which are labelled with an event . a probability and a time value (the probabilities and the time values depends on the time charact.eristics (interval - densit.y probabilit.y function) associated to the transitions of the Petri Net). The qualitative analysis does not consider in the randomized state graph the probabilities and the time values. Two kind of properties are concerned by the qualitative analysis (Juanole. ROllx. 1989) general properties, i.e mission indcpendant like the boundedness and specific properties. i.e mission dependant and based on the interpretation of events associated to the transitions of the graph (such properties can be expressed with temporal logic formulas (Emerson. 1990) like I t is inevitable ... , it is potential .. . ). The quantitative analysis allows to explicit the specific propert ies of the qualitative analysis (hy means of probabilities and durations)
=
Buffer Writting Service The underlaying Petri - Net model It is represented on the Fig 6 : the places PI and P2 and the transitions between these places visualize the variable production (transition t1) and the writting in the buffer (transition t3, when the refreshment status is false . and transition t", when t.he refreshment status is true) ; the Timer, for the refreshment mechanism is modelled by the places P5 and P6 and the transition is . The transition t2 visualizes the failure of the production and/or t.he writting . The transitions t; and t8 visualize the interactions with the buffer transfer service protocol pair.
Time specification We consider the follOWing specifications : t1 : 6(x - 17); ts: 6(x - 20). f3 , t" , t6 • t; and ts t'i(x) . t2 : .016(x) + .99 O:S x :S 1
Global Modelling At first , we have considered the buffer transfer service - protocol pair (by means of the Petri Nets represented on the Fig 5) and we have obtained the randomized state graph . an abstract view of which is represented on the Fig 7 (An abstract view is a projection on a suhset of events, relevant from the users point of view) . On the Fig 7, each t ransi tion bet weem t wo states is labelled with : the name of the event which occurs from the input state: the branching probability; the mean time value . From this abstract view . we have got a Petri :"et (each transition of the state graph of the abstract view can be seen as a transition of a Petri !'iet) and we have interconnected this Petri !'iet With the Petri Net representlllg the buffer \nitting service (Fig 6) . The Interconnection is made by merging the transitions labelled with (IRP_DAT(producer), I LSfnd_indicaiion(producer)). The randomized state graph of the global system has 34 states (I n order to have a more readable graph . we only represent here an abstract view of t his graph : Fig 8 , where the dotted hnes represent the abnormal behaviour) .
Buffer Transfer Service - Protocol Pair The underlaying Petri Net model The models of the Arbiter . the Producer. the Consumer and the transmission medium are represented on the Fig 5. In the differents models . some transitions are labelled with labels (?l') or (IX) or (,?xj!y, where y can be equal to x) or (!x. !y) : ?x (!r) means reception (sending) of an interaction ; ? r j!y represents the reception of I followed, in a atomic way , by the sending of y ; Ix . !y means the sending in a atomic way of x and y . l\ote furthermore that we have tranSitions in the Arbiter. Producer and Consumer models labelled (with the name of the Timers which they
145
ANALYSIS
FIPB (1988). Specification des services "couches liaison de donnies ". DRAFT norme experimentale N88-004 Norme C46-603.
Qualitative Analysis • general properties : We have the boundness property (as the randomized state graph has 34 states) ; then the system can be implemented,
G AND ATAMNA, Y (1991). with arbitrary time distributions with the tic timed petri net model - Apllication to systems. International workshop on petri performance models. Melbourne. JUANOLE,
• specific properties (by looking on the abstract view (Fig 8) and no considering the probabilities and time values . - the cvcle 57 - SI - 55 sents "the normal behaviour,
Dealing stochasqueuing net and
G AND Roux , J . L (1989). On the pertinence of the extended timed petri net model for analysing communication activities . International workshop on petri net and performance models. Kyoto . JUANOLE,
57 repre-
- the path 57 511 519 represents one abnormal behaviour ; then, we can have either a new good behaviour (519 - SI) or a new bad behaviour (519 - 523 - 517). - we can also express temporal logic formulas: from 57, it is potential to have 'RP_DAT(True) and ? RP JJAT(True).
REISIG , W (1985). Petri nets, an introduction. Springer verlag.
G AND TRICOMI , G (1990). Time Critical Networks for Manufactunng. ICCC 90 , Newdelhi, India. MESSINA,
Quantitative Analysis • The cycle of normal (abnormal) behaviour has a duration of 17 time units with a probability of 0.994 (0.006). i.e a rate of 0.994/17 (0.006/17) time unit-I. • In the temporal logic formulas "It is potential" is quantified by the assertion "with a probability x (x -< 1) and a duration of y time units ; For example: from state 57 , we get the sending of RP_DAT(True) with a probability 0.994 and after a mean duration of 14 time units .
CONCLUSION This studv has shown that the Stochastic Timed Petri :--;et -model IS an adequate model for the formal specification and the analysis of time critical communication networks. In particular. by considering the example of the system FIP (french proposal for a field bus standard) we have analvsed the influence of the different time constraints ;""hlch control the communlcation actlvitv for the updating of a real time distributed data-base. A software tool. developped In the LAAS laboratory (Atamna. Juanole. 199 1). has been used.
REFERENCES Y AND J UAI'WL£. G (1991) . Presentation de ['outll base sur le modfle reseau de petn temponses stochast lques .· I 'outll RdPTS. Rapport LA AS n91113 . ATAMNA.
E~t£RSON. E.ALLDI (1990). Automatic venficat ion methods for finite state systems. Lectures notes 10 compute r science. Vol 407.
F I PA (1988) . SpeCification des services "co uches application". DRAFT norme expeClmentale N88004 ;'-iorme C46-602.
146
m _OAT
---- -
---- --- ------ ------ --- -- ---
-- - - ------ --------- ---- ----._------_ . . - ----- -- --Rr_OAT
-- -- --_ .
------ --------_ .
RI'JJAT
TIMER T/J TlMI\R rl1
TlMI\ TRI\T I'ROOUCF.R
CONSUMER
Fig 1: Fip lieldbus
It .•·•.•.: :...i CRODUCP.R . . .,: 0/ !APPUC.UION]
I[~K
I
.
. ..
".
SPS :AltBlTHR
1 ;· :'C;jNSUA'tB.it: \
!
I
UNK [WCAnON I
In . OAT RI' . DAT L-SENT., N m t
L-R CEIVEO.
INmCttnON
Fig 2 : Oufrt'r transfer service - prot.ocal pair
foil",. .,ril/i ", of
*
.p,od" ..4 wui4bll . ..
PRODl.1CER
Al'FUCATION ::. R ___
..:.: ..
UNit
1..,..,. LhI
IC
C.~/Vwo
Fig 3: Buffer writting service
Fig 4 : Temporal diagram
~I
~J
TI
"' ~
IJ
,~u
AR.ITER
,.,IODUCER CONSUMF.R
"
~
" IX
III
,r
MP-DlUM
MEDIUM ARflITF.R. rROOllCF.R
Fig 5 : Pe lri Nel monels (bufrer transf<>r)
147
I'ROOUCF.R - CONSOMF.R
7 rp da1 (Arbila')
I"~
!l
Fig G: Petri Net model
(bllff~r
."u
,u,,(lnu)
iu;catio,.
Fig 7: Abstract view (buffer transfer)
writting)
. """"""""""""""" .994 ; )
:
!Iddal : (arbiter) :
,, ,, ,,
'8 .
s 19
/ ;J
?rp .994 ; )
J •J
dalllru~)
;::;d~:
" " .. " .. ~, .
~
"
?rp dal(false):
(consumer)
!Idlbl (arbiter)
•••••
(consumer) :
,"
.J)Q6 ; )
~
•
/ ; //
....
.....'
S 23
.".... / ; 11
..' !rp dal(falsr) (producer)
f:":;\ ..;:.'
""·""'u"""""v
!Id dal (arbiter)
0)
(arbiter)
!rp dallfalH ) (producer)
Fig 8: Abstract view (buffer transfer and buffer wrttting )
148
G. Juanoie, Y. Atamna and N. Berge LAAS/CNRS 7, avenue de Colonel Roche F-31077 Toulouse Cedex France
J.M Farines Departamento de Engenharia Eletrica Universidade Federal de Santa Catarilla 88049 Florianopolis se
A bstract . The goal of this paper is to show that the Stochastic Timed Petri Nets are a good model for the formal sp~cification of. ti me critical communication networks (commumcatlOn networks are be.c oml/lg an essential component for the production automation systems) .. The Stochastlc Tllned Petri Nets. allow, in p,!,rticular, to model parallelism, synchromsatlon by message exchange and by time constralllts (this last point is essential in a real time context) . The example of.a field bus network (the system FIP, french proposal for a standard) IS cons~dered : the dat.a IlIIk prot.ocol for the periodic traffic and different services provided by the bnk layer are modelled and analysed. Keywords . Distributed data bases; computer communications; protocols ; time domain analysis; Stochastic Timed Petri Nets; probabilities .
INTRODUCTION • The communication Networks allow to achieve the required level of intep;ration and coordination in the Produclion Automation . A hierarchy of COllllllunicalion Nf'tworks (Messina. 1990) is defined Plant. N!>tworks. Control Networks. fieldbuses . • A field bus is a low Ipv('1 indllslri"llocal Network for process control i.e which connect.s sensors. actuators and automatic controllers The exchangt>s on a fieldhus mainly ;'Ire : 111 formations from the sensors 10 the controllers ; commands from the controllers to tllP actuators ; informations between controllf'rs . • Important requirements of a fil'ldbus are Time Requirements which . it is essential. must bl' vl"nfil'd before impll'ml'lltlllp; t a formal J1lodel. which can express t IlIle constraints. is then necessary) . • This paper concl'rlls tlw st IIdv of tllf' field bus FlP (french proposal f;r a slalldard) by using th e Stochast ic Timrd Pf't ri Net (STPN) J1lodel (.Iuanole . HOllx . 1989: Juanole. Atamna. 19~1) • In a fi rst part. we present. the FI P syst t'lll and the cOllllllunication activitv which is consid ered . In a second part . we ;lIodt>l and analyse this cOllllllunication activity .
FIP SYSTEM General View The svst.em FI P consists of a communication bus with ~tations relative to the different equipments (controllers - sensors - actuators) and a station called " Bus Arbiter" which controls the exchanges of frames on the bus (centralized control). The FI P communication architecture is a three layer architecture the upper layer (called application layer) provides, to the user processes of I he command svstem. the services of having access 10 variahlf's (~i PS services) and messages (MMS services) (Fipa. 1988) ; the data link layer (Fipb, 1988) provides. to the application layer, the service of I ransff'fring variables and messages; the physical layer provides. to the data link layer. the serial bit transfer service . The variables of the MPS service constitute a data hase for the different equipments (distributed data ha..c;e ) : each variable has one producer equipIIH'nt and one (or several) consumer equipment(s) . Two statll~ are a..r;.c;ociated to the values of the variahll's (Reisip; . 1985) : a refreshment status and a promptness status . The refreshment is an in~or mation which is elaborated in the Producer Imk laYf'r (its goal is to inform the user. consumer t.hat t lie variable ha..'> been produced dUClng a good time illterval. i.e the prociuction is not "too old") . The prolllptlH'SS is an information which is elahorated in the consllmer link layer (its goal is to infor~ the IISf!( consumer that the variable has been received durillp; a good time interval, i.e the reception is 1I0t "too old").
143
An important modability of the system FIP is the periodic updating of the distributed data base (the updating period depends on the time constraints of the distributed application) . This updating is got through the buffer writing, buffer reading and buffer transfer services provided by the link layer to the application layer. Each variable has an IDentifier (ID). The buffer writing (reading) service allows the writing (reading), by the application layer of a producer (consumer) site, of the value of a variable ID in a buffer of the link layer. The buffer transfer service allows the link layer to indicate, to the application layer of a Producer site and a Consumer site, respectively the sending and the reception of a variable ID . The link layer realizes a communication protocol in order to provide the buffer transfer service: we call this service and this protocol the Buffer transfer service - protocol pair. In this paper, we only consider the analysis of the buffer transfer service - protocol pair and the buffer writting service.
• in the producer site : the link layer transmits an indication to the application layer (L-SenLlndication) after the sending cf the frame RPJJAT, • in the consumer site : the link layer transmits an indication to the application layer (L..&ceived_I ndication) after the reception of the frame RP JJAT.
Time constraints In order to analyse the hardest constraints (from the view of multiplexing data in the bus), we suppose that during each period T'O, the same producer and the same consumer are involved. We distinguish two working conditions : normal conditions (i.e the system works perfectly) and abnormal conditions (i .e we can have losses of ID_DAT and/or RPJJAT). Normal conditions The constraint concerns the relation Producer Arbiter i.e the producer must be ready for considering the next I D_DAT
Buffer Transfer Service - Protocol Pair Architect ure
1"0>- TRET + 2r(A - P)
The fieldbus Fip is represented on the Fig 1 (one producer and one consumer are only represented) . The arbiter, which has the global view of the system (list of all the variables ID), broadcasts periodically (the period is T'O) a frame called I DJJAT including a variable ID ; then the arbiter is waiting for a frame, called RP JJAT (sent by the producer of the variable ID), before broadcasting another frame I D_DAT including another variable ID . In this way, the arbiter can see the good behaviour of the system. After the reception of a frame I D_DAT :
r(A - P) means propagation time between the Arbiter and the producer. Abormal conditions • At the Arbiter : the Arbiter must detect the loss of I D_DAT or RP JJAT in order to be ready for sending the next I DJJAT
TO>- TRET + 2r(A - P) furthermore we must have: T'O
• The station which recognizes itself as the producer of the variable ID, must turn round its modem (time TRET) and the frame RP JJAT is then sent.
~
TO
• At the Consumer: the Consumer must detect the loss of RP ...DAT in order to be ready for considering the next I DJJAT
Tl >- TRET+r(A-P)+r(P-C)-r(A-C)
• Each station which recognizes itself as a consumer of the variable included in the frame I D_DAT. is waiting for the reception of the frame RP_DAT .
• Note that the constraints between the different Timers depend on the relative position of the Arbiter. the Producer and the Consumer on the bus. Here. for our study, we consider positions like in the Fig 1.
Two Timers TO and Tl detect bad behaviours of the system :
Buffer Writting Service Architect ure
• the timer TO allows the Bus Arbiter to detect the loss of an I D_DAT or an RP JJAT frame ; when the timer is out. the Bus Arbiter goes in a state where it is readv to send a new frame I D_DAT.
This services IS represented on the Fig 3. The writting buffer service has two phases : the application layer writes a variable in a link layer buffer (LPut .Request) ; the link layer confirms this writting (LPut.Confirm) .
• the timer Tl allows a consumer station to detect the no-arrival of the frame RP ...DAT expected after the reception of a frame I D_DAT ; then the consumer goes in a state where it is ready to receive a new frame ID_DAT .
Refreshment status This status . which is elaborated by using a timer, can have. in particular, the attribute "asynchronous~ or ~synchronous" according as it is not controlled (or it is controlled) by synchronisation vartables . There we only consider the asynchronous case. The temporal diagram of this status is represented on the Fig 4 : as soon as a
The coupling between the protocol and the servIce. for the buffer transfer . in the producer and consumer sites is shown on the Fig 2 :
144
represent (T'O . TO, TRET, Tl) . Concerning the transmission medium: the Arbiter - Producer medium is an half duplex FIFO carrying to types of messages (l D_DAT and RP -DAT) and where a collision can occur (transition t e ) ; the Producer - Consumer medium is a simplex FIFO carrying two types of messages (ID_DAT and RP_DAT) .
produced variable is written in the buffer. the refreshment timer is initialized (if it is out) or re initialized (if it is on) ; the status is true as long as the timer is on and becomes false at the time - out (the time - out occurs when the periodicity of the production and j or the writting fails) .
Time constraints
Time specification
The refreshment Timer value (RT) specifies the maximum time interval between two writting. Then we have the following constraint : Time between two writtings ~ RT.
We consider the following specifications :
=
=
- T'O TO : /(x) 0.5 for 16 < x < 18 - TRET-: f(i) = 0.5 for 9 ~ r ~ 11 - Tl : /(x) 0.5 for 10 ~ x ~ 12 -t6andt7 : /(x) 6(x-l) - tlO and tll : /(x) = 6(x - 3) - all the other transitions are immediate transitions : 6( x).
=
MODELLING WITH STOCHASTIC TIMED PETRI NETS (STPN) STPN Background A full presentation of the Stochastic Timed Petri Nets can be found in (Juanole, Roux. 1989; Juanole. Atamna, 1991) . They are an extension of the elementary Petri Nets (Reisig, 1985) where we associate to each transition a firing time interval and a density probability density function on the firing time interval. Arbitrary density probability functions are considered (Juanole. Atamna. 1991) : uniform , discrete , mixed (uniformed and discrete) , exponential. This model expresses the parallelism. the synchronisation by message exchange and by time constraints and allows both a qualitative analysis (functional correctness) and a quantitative analysis (performance). The analysis is based on a randomized state graph . the transitions of which are labelled with an event . a probability and a time value (the probabilities and the time values depends on the time charact.eristics (interval - densit.y probabilit.y function) associated to the transitions of the Petri Net). The qualitative analysis does not consider in the randomized state graph the probabilities and the time values. Two kind of properties are concerned by the qualitative analysis (Juanole. ROllx. 1989) general properties, i.e mission indcpendant like the boundedness and specific properties. i.e mission dependant and based on the interpretation of events associated to the transitions of the graph (such properties can be expressed with temporal logic formulas (Emerson. 1990) like I t is inevitable ... , it is potential .. . ). The quantitative analysis allows to explicit the specific propert ies of the qualitative analysis (hy means of probabilities and durations)
=
Buffer Writting Service The underlaying Petri - Net model It is represented on the Fig 6 : the places PI and P2 and the transitions between these places visualize the variable production (transition t1) and the writting in the buffer (transition t3, when the refreshment status is false . and transition t", when t.he refreshment status is true) ; the Timer, for the refreshment mechanism is modelled by the places P5 and P6 and the transition is . The transition t2 visualizes the failure of the production and/or t.he writting . The transitions t; and t8 visualize the interactions with the buffer transfer service protocol pair.
Time specification We consider the follOWing specifications : t1 : 6(x - 17); ts: 6(x - 20). f3 , t" , t6 • t; and ts t'i(x) . t2 : .016(x) + .99 O:S x :S 1
Global Modelling At first , we have considered the buffer transfer service - protocol pair (by means of the Petri Nets represented on the Fig 5) and we have obtained the randomized state graph . an abstract view of which is represented on the Fig 7 (An abstract view is a projection on a suhset of events, relevant from the users point of view) . On the Fig 7, each t ransi tion bet weem t wo states is labelled with : the name of the event which occurs from the input state: the branching probability; the mean time value . From this abstract view . we have got a Petri :"et (each transition of the state graph of the abstract view can be seen as a transition of a Petri !'iet) and we have interconnected this Petri !'iet With the Petri Net representlllg the buffer \nitting service (Fig 6) . The Interconnection is made by merging the transitions labelled with (IRP_DAT(producer), I LSfnd_indicaiion(producer)). The randomized state graph of the global system has 34 states (I n order to have a more readable graph . we only represent here an abstract view of t his graph : Fig 8 , where the dotted hnes represent the abnormal behaviour) .
Buffer Transfer Service - Protocol Pair The underlaying Petri Net model The models of the Arbiter . the Producer. the Consumer and the transmission medium are represented on the Fig 5. In the differents models . some transitions are labelled with labels (?l') or (IX) or (,?xj!y, where y can be equal to x) or (!x. !y) : ?x (!r) means reception (sending) of an interaction ; ? r j!y represents the reception of I followed, in a atomic way , by the sending of y ; Ix . !y means the sending in a atomic way of x and y . l\ote furthermore that we have tranSitions in the Arbiter. Producer and Consumer models labelled (with the name of the Timers which they
145
ANALYSIS
FIPB (1988). Specification des services "couches liaison de donnies ". DRAFT norme experimentale N88-004 Norme C46-603.
Qualitative Analysis • general properties : We have the boundness property (as the randomized state graph has 34 states) ; then the system can be implemented,
G AND ATAMNA, Y (1991). with arbitrary time distributions with the tic timed petri net model - Apllication to systems. International workshop on petri performance models. Melbourne. JUANOLE,
• specific properties (by looking on the abstract view (Fig 8) and no considering the probabilities and time values . - the cvcle 57 - SI - 55 sents "the normal behaviour,
Dealing stochasqueuing net and
G AND Roux , J . L (1989). On the pertinence of the extended timed petri net model for analysing communication activities . International workshop on petri net and performance models. Kyoto . JUANOLE,
57 repre-
- the path 57 511 519 represents one abnormal behaviour ; then, we can have either a new good behaviour (519 - SI) or a new bad behaviour (519 - 523 - 517). - we can also express temporal logic formulas: from 57, it is potential to have 'RP_DAT(True) and ? RP JJAT(True).
REISIG , W (1985). Petri nets, an introduction. Springer verlag.
G AND TRICOMI , G (1990). Time Critical Networks for Manufactunng. ICCC 90 , Newdelhi, India. MESSINA,
Quantitative Analysis • The cycle of normal (abnormal) behaviour has a duration of 17 time units with a probability of 0.994 (0.006). i.e a rate of 0.994/17 (0.006/17) time unit-I. • In the temporal logic formulas "It is potential" is quantified by the assertion "with a probability x (x -< 1) and a duration of y time units ; For example: from state 57 , we get the sending of RP_DAT(True) with a probability 0.994 and after a mean duration of 14 time units .
CONCLUSION This studv has shown that the Stochastic Timed Petri :--;et -model IS an adequate model for the formal specification and the analysis of time critical communication networks. In particular. by considering the example of the system FIP (french proposal for a field bus standard) we have analvsed the influence of the different time constraints ;""hlch control the communlcation actlvitv for the updating of a real time distributed data-base. A software tool. developped In the LAAS laboratory (Atamna. Juanole. 199 1). has been used.
REFERENCES Y AND J UAI'WL£. G (1991) . Presentation de ['outll base sur le modfle reseau de petn temponses stochast lques .· I 'outll RdPTS. Rapport LA AS n91113 . ATAMNA.
E~t£RSON. E.ALLDI (1990). Automatic venficat ion methods for finite state systems. Lectures notes 10 compute r science. Vol 407.
F I PA (1988) . SpeCification des services "co uches application". DRAFT norme expeClmentale N88004 ;'-iorme C46-602.
146
m _OAT
---- -
---- --- ------ ------ --- -- ---
-- - - ------ --------- ---- ----._------_ . . - ----- -- --Rr_OAT
-- -- --_ .
------ --------_ .
RI'JJAT
TIMER T/J TlMI\R rl1
TlMI\ TRI\T I'ROOUCF.R
CONSUMER
Fig 1: Fip lieldbus
It .•·•.•.: :...i CRODUCP.R . . .,: 0/ !APPUC.UION]
I[~K
I
.
. ..
".
SPS :AltBlTHR
1 ;· :'C;jNSUA'tB.it: \
!
I
UNK [WCAnON I
In . OAT RI' . DAT L-SENT., N m t
L-R CEIVEO.
INmCttnON
Fig 2 : Oufrt'r transfer service - prot.ocal pair
foil",. .,ril/i ", of
*
.p,od" ..4 wui4bll . ..
PRODl.1CER
Al'FUCATION ::. R ___
..:.: ..
UNit
1..,..,. LhI
IC
C.~/Vwo
Fig 3: Buffer writting service
Fig 4 : Temporal diagram
~I
~J
TI
"' ~
IJ
,~u
AR.ITER
,.,IODUCER CONSUMF.R
"
~
" IX
III
,r
MP-DlUM
MEDIUM ARflITF.R. rROOllCF.R
Fig 5 : Pe lri Nel monels (bufrer transf<>r)
147
I'ROOUCF.R - CONSOMF.R
7 rp da1 (Arbila')
I"~
!l
Fig G: Petri Net model
(bllff~r
."u
,u,,(lnu)
iu;catio,.
Fig 7: Abstract view (buffer transfer)
writting)
. """"""""""""""" .994 ; )
:
!Iddal : (arbiter) :
,, ,, ,,
'8 .
s 19
/ ;J
?rp .994 ; )
J •J
dalllru~)
;::;d~:
" " .. " .. ~, .
~
"
?rp dal(false):
(consumer)
!Idlbl (arbiter)
•••••
(consumer) :
,"
.J)Q6 ; )
~
•
/ ; //
....
.....'
S 23
.".... / ; 11
..' !rp dal(falsr) (producer)
f:":;\ ..;:.'
""·""'u"""""v
!Id dal (arbiter)
0)
(arbiter)
!rp dallfalH ) (producer)
Fig 8: Abstract view (buffer transfer and buffer wrttting )
148