Automatic Properties Classification Approach for Guiding the
Verification of Complex Reconfigurable Systems
Mohamed Ramdani
1,3
, Laid Kahloul
2
and Mohamed Khalgui
3
1
University of Tunis El Manar, Tunis, Tunisia
2
LINFI Laboratory, Computer Science Department, Biskra University, Algeria
3
University of Carthage, National Institute of Applied Sciences and Technology, Tunis 1080, Tunisia
Keywords:
Discrete-event System, Reconfiguration, R-TNCES, Computation Tree Logic, CTL, Automatic Generation,
Formal Verification, Model-checking.
Abstract:
This paper deals with reconfigurable discrete event/control systems (RDECSs) that dynamically change their
structures due to external changes in environment or user requirements. Reconfigurable Timed Net Condi-
tion/Event Systems (R-TNCESs) are proposed as an extension of the Petri nets formalism for the optimal
functional and temporal specification of RDECSs. The correct design of these systems continues to challenge
experts in both academia and industry, since bugs not covered early can be extremely expensive at the final
deployment. The classic model-checking using computation tree logic (CTL) and its extensions (extended
CTL, Timed CTL, etc) produces a large number of properties, possibly redundant, to be verified in a complex
R-TNCES. To control the complexity and to reduce the verification time, a reduction technique of properties
is proposed. The novelty consists in the classification of CTL properties according to their semantic relati-
onships for guiding an efficient verification. An algorithm is proposed for the automatic classification of CTL
properties before starting model-checking process. A case study is exploited to illustrate the impact of using
this technique. The current results show the benefits of the paper’s contribution.
1 INTRODUCTION
Discrete event/control systems (DECSs) are asyn-
chronous and non-deterministic systems which have
a discrete nature of states and can change their state,
in time, by the occurrence of external/internal events.
The control and the coordination of physical devi-
ces that compose a DECS become more complex and
more critical in large-scale systems. The development
of auto-control systems and the integration of reconfi-
gurability aspect in DECSs accelerate the appearance
of innovative systems called reconfigurable discrete
event/control systems (RDECSs). This kind of sys-
tems can work simultaneously on various conditions:
concurrency, control, communication, etc. Such sys-
tems include manufacturing, real time systems(Ghribi
et al., 2018), (Lakhdhar et al., 2018), mobile systems
(Idriss et al., 2017), and wireless sensor networks
(Grichi et al., 2017), intelligent approaches (Meskina
et al., 2017), intelligent applications, and communi-
cation systems (Karoui et al., 2017) etc.
RDECSs represent a class of systems that adapt
their behavior to any evolution in their environment,
dynamically and timely. In reconfigurable systems,
any adaptation to the external changes or any response
to user requirements is considered as a reconfigura-
tion scenario (Zhang et al., 2015). The reconfigura-
tion can be applied statically at design time or dy-
namically at run-time (Khalgui and Hanisch, 2011).
The reconfiguration is a set of changes in the struc-
ture, functionality, and control algorithms which can
cause dysfunctions in the system. Therefore, every
newly applied reconfiguration of the current state of
a system must produce a new state which preserves
always the required properties. In spite of its com-
plexity, the verification task of RDECSs is a primor-
dial one. Formal verification methods are applied be-
cause they use mathematical specifications and the
exhaustive testing. To ensure the correctness of a sy-
stem by model-checking method, the formal model
of the system behavior/structure and the specification
of the related properties in a temporal logic are re-
quired to be involved in a verification/debugging cy-
cle. The functional and temporal properties are spe-
cified by one of the existing temporal logics, such as:
Computation tree logic (CTL), extended computation
Ramdani, M., Kahloul, L. and Khalgui, M.
Automatic Properties Classification Approach for Guiding the Verification of Complex Reconfigurable Systems.
DOI: 10.5220/0006863005910598
In Proceedings of the 13th International Conference on Software Technologies (ICSOFT 2018), pages 591-598
ISBN: 978-989-758-320-9
Copyright © 2018 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
591
tree logic (eCTL), and timed computation tree logic
(TCTL).
To cope with the reconfigurability, Petri nets has
been extended and developed by many works (Pad-
berg and Kahloul, 2018). Timed net condition/event
systems (TNCESs) formalism is a modular exten-
sion of Petri nets presented in (Khalgui and Hanisch,
2011). In order to deal with reconfigurable sys-
tems, TNCESs formalism was extended towards R-
TNCESs in (Zhang et al., 2013). The R-TNCES can
capture the complex characteristics of an RDECS and
facilitate the good understanding of the physical pro-
cess of the system by the modular graphical represen-
tation. The layer-by-layer verification of R-TNCES
proposed in (Zhang et al., 2013) is applied directly
to the set of TNCESs layers without any analysis of
relationships between behaviors to be checked. This
direct and blind checking, of the set of properties, ma-
kes the verification process too complicated and har-
der in the case of a complicated reconfigurable sy-
stem. This complication is justified by the system
complexity and the high number of properties to be
checked by the designer.
The objective of this work is to improve the verifi-
cation process of RDECSs. In this paper, we propose
to classify automatically properties and to introduce
a priority in verification in order to control the high
number of properties to be verified in such systems.
The proposed approach takes as input a set of formu-
las, and gives as output an automatic classification ac-
cording to defined relations between behaviors. Thus,
the goal of this research is to automatically range, fil-
ter and reorganize the CTL and its extension formulas
for a complex verification of an R-TNCES. We argue
that using this arrangement process, one can reduce
the number of properties to be verified. The purpose
of this paper is to identify, automatically, relationships
between formulas. These relationships will be used
by an algorithm to make the suitable order in which
properties will be checked. In fact, we can recapitu-
late the whole process in four steps, as follows. (i)
A syntactic sorting of all properties according to their
CTL class, (ii) A grouping of properties by creating
sub-sets of properties according to their configuration
and their goals form (simple/composed), (iii) An au-
tomatic generation by a simple research in the above
sub-sets, and (iv) A guiding of verification according
to the established relationships.
To demonstrate the feasibility of the proposed ap-
proach, a formal case study is provided. We detail the
application of the proposed verification process step
by step to show how the guiding method works from
the syntactic sorting to the guidance arrangement of
verification. To illustrate the gain of this task as a
preprocessing before the model-checking process, we
give some simulations. The results show that the pro-
posed technique reduces effectively the number of
properties to be verified in reconfigurable systems.
The organization of this paper is as follows. Section II
gives backgrounds. Section III presents the formali-
zation and the automatic generation based algorithm.
The papers contribution is applied to a formal case
study in Section IV. Finally, Section V concludes this
paper and describes future works.
2 BACKGROUND
In this section, we present the concerned formalism
and some related concepts of CTL and its extensions
which will be used in this paper.
R-TNCES is a modeling formalism based on Pe-
tri nets and control components CC. A compo-
nent is a logical software unit (Khalgui et al., 2011),
which represents the data-flues and actions of sen-
sors/actuators (algorithms, extraction or activation).
Every CC resumes the physical process in three acti-
ons: activation, working, and termination. An R-
TNCES RT N is a composed structure that contains
two components, thus RT N = (B, R). The first com-
ponent B is the behavior module, composed of n con-
figurations B = (C
1
, . . . ,C
n
), each one is a TNCES,
possibly redundant. The second component R is the
control module which represents the set of recon-
figuration functions R = (r
1
, . . . , r
m
) with n,m N.
Formally, the behavior module of an R-TNCES is a
place/transition net model specified as proposed in
(Zhang et al., 2013).
B = (P, T, F,W, CN, EN, DC,V, Z
0
) (1)
where, P (resp. T) is a superset of places (resp. tran-
sitions), F is a superset of arcs, W : (P × T ) (T ×
P) {0, 1} maps a weight to a flow arc, CN (resp.
EN) is a superset of condition signals (resp.event sig-
nals), DC is a superset of clocks on output arcs, V :
T {AND, OR} maps an event processing mode for
every transition, and Z
0
= Z
0i
= (M
0
, D
0
), where M
0
is the initial marking, and D
0
is the initial clock po-
sition. An example of R-TNCES will be detailed in
section 4.1. The dynamic and the structure modifica-
tion instructions of this formalism are well detailed in
(Zhang et al., 2013).
According to the way in which the system reacts
due to the environment changes and the user require-
ments, any adaptation is assumed as a reconfiguration
scenario. R-TNCESs include many reconfiguration
scenarios in one model. Each reconfiguration repre-
sents a switch between two TNCESs, possibly redun-
ICSOFT 2018 - 13th International Conference on Software Technologies
592
dant. Since behavior can be repeated in many TN-
CESs, its verification can be quantified from an exe-
cution to another execution. The redundancy between
TNCESs creates relationships through different be-
haviors which may express dominance, equivalence,
and composition of execution order.
Definition 1. A dominance behavior is an execution
which respects the order of precedence between phy-
sical processes included in the same configuration or
in different ones.
Definition 2. An equivalent behavior is an execution
which includes the same physical process in different
configurations.
Definition 3. A composition behavior is a global exe-
cution composed of many physical processes which
are in the same configuration or in different ones.
The model-checking of R-TNCESs is an automa-
tic technique for the verification of properties correct-
ness of finite-state systems based on their reachabi-
lity graph. The properties are specified using the tem-
poral logic CTL or its extensions. Computation tree
logic (CTL) (Baier et al., 2008) and extended com-
putation tree logic (eCTL) (Starke and Roch, 2002)
are used to specify the functional properties, and Ti-
med CTL (Boucheneb et al., 2009) is used to specify
the reasoning about the truth values of the time con-
straint of an RDECS over a time interval. Using CTL
and its extensions, the time is not explicitly expressed,
but we have the possibility of saying that a property
will frequently/infrequently be verified or will never
be verified. CTL offers facilities for the specification
of properties that must be fulfilled by the system, like
safety, liveness, reachability, etc.
We denote that every two properties sharing simi-
lar goals or a part of goals can be involved in a bi-
part relationship. The bi-part relationship can be: (i)
Equivalence relationship which means that two simi-
lar properties represent an equivalent behavior which
concerns two different configurations. (ii) Composi-
tion relationship which means an argumentative re-
lation of two properties that have a conjunction fac-
tor representing a composition behavior (precedence
of goals), and (iii) a dominance relationship between
two properties means that the final result of the whole
formula depends only on the dominant part of this for-
mula because of the dominant behavior of the physi-
cal process to be verified.
Definition 4. A goal means a simple locality in the
model which can be a place, a transition, a state or a
formula written in CTL or one of its extensions.
The classical verification ignores the redundancy
effect on behaviors that increase the number of pro-
perties to be verified and complicates the verification
process. Therefore, the classical verification is inca-
pable of controlling the number of properties to be
verified and so that incapable to identify the relati-
onships between them. This work tries to give a veri-
fication strategy to avoid this problem.
3 PROPERTIES
CLASSIFICATION
Considering the above drawbacks of formalisms and
methods in reconfigurable systems verification pro-
cess, the verification time increases as well as the
number of properties to be verified increases. We pro-
pose in this section an optimal strategy for the gui-
dance of CTL formulas verification. Using our pro-
posed approach, we minimize the validation time by
reducing the number of properties to be verified, and
we improve model-checking of reconfigurable sys-
tems and make it more efficient by automatizing the
classification and properties order generation. The re-
duction is obtained by extracting the possible relati-
onships. Then, expressing those relations using a set
of new proposed operators. Figure 1 summarizes the
global idea of the automatic generation of relation or-
der between the CTL formulas.
Figure 1: Global idea of the automatic generation process.
3.1 Formalization
The syntax of new proposed operators is presented in
this section. Let us denote by φ
T L
a formula written in
one of these logics. The classification operation intro-
duces a set of new operators to express relationships
between every couple of properties.
Dom
c
i
: Internal dominance operator between two
distinguished formulas expressed on the same
configuration C
i
B,
Automatic Properties Classification Approach for Guiding the Verification of Complex Reconfigurable Systems
593
Dom
c
i
,c
j
: External dominance operator between
two formulas expressed on two distinguished con-
figurations C
i
and C
j
,
Equi
c
i
,c
j
: Equivalence operator between two for-
mulas expressed on two distinguished configura-
tions C
i
and C
j
in B,
Comp
c
i
: Internal composition operator between
two formulas expressed on the same configuration
C
i
B,
Comp
c
i
,c
j
: External composition operator bet-
ween two formulas expressed on two distinguis-
hed configurations C
i
and C
j
in B,
Assumption 1. A classified formula deals only with
one type of extension, i.e., it is not possible to classify
two formulas from two different extensions with the
same operator.
The dominance (φ
T L
h
Dom
C
i
φ
T L
k
) (resp. φ
T L
h
Dom
C
i
,C
j
φ
T L
k
) means formula φ
T L
h
on the configura-
tion C
i
dominates formula φ
T L
k
on the same configu-
ration (resp. on the configuration C
j
) because of the
existence of a precedence relation between states, an
order of temporal logics connectors or a functional
dependency between the left part and the right part.
The equivalence (φ
T L
h
Equi
C
i
,C
j
φ
T L
k
) means that
formula φ
T L
h
on configuration C
i
is equivalent with
formula φ
T L
k
on configuration C
j
as a result of an equi-
valence between goals in CTL or time factor in TCTL,
or sequence factor τ sequences in eCTL.
The composition (φ
T L
h
Comp
C
i
φ
T L
k
) (resp. φ
T L
h
Comp
C
i
,C
j
φ
T L
k
) means the conjunction of two proper-
ties on the same configuration C
i
which have a prece-
dence order in their goals (resp. between two proper-
ties belonging to two different configurations C
i
and
C
j
).
In order to facilitate properties verification, we
propose a new method for the automatic classifica-
tion of basic CTL, TCTL, eCTL formulas according
to relationships order. The proposed method passes
through two principal operations: (i) the sorting and
grouping operation, (ii) and the automatic generation.
3.1.1 Sorting and Grouping operation
This first operation proceeds in two steps: (i) First
step, a syntactic sorting of properties according to the
temporal logic class, i.e., we have the initial set of
all properties including CTL, eCTL, TCTL proper-
ties, like an input denoted by Prop
Initial
and we get
sets of properties sorted according to each kind of lo-
gics in the output denoted by Prop
CT L
, Prop
eCT L
,
Prop
TCT L
. Algorithm 1 resumes the sorting of
Prop
initial
assumed not empty to the sets Prop
CT L
,
Prop
eCT L
, Prop
TCT L
initially empty.
Algorithm 1: Syntactic sorting.
Input: Prop
Initial
;
Output: Prop
CT L
, Prop
eCT L
, Prop
TCT L
;
for each φ Prop
initial
do
if ( φ
i
is a CTL formula) then
Insert φ in Prop
CT L
;
end
if ( φ
i
is a eCTL formula) then
Insert φ in Prop
eCT L
;
end
if ( φ
i
is a TCTL formula) then
Insert φ in Prop
TCT L
;
end
Return (Prop
CT L
, Prop
eCT L
, Prop
TCT L
)
end
(ii) The second step projects each generated set in
the first step on the system model to group the pro-
perties according to their configurations and their go-
als type (simple or composed). For each class of lo-
gic and for each configuration of the system, the pro-
jection gives two sets of properties: Composed Goal
Set on the configuration i (CGS
i
) and Simple Goal Set
on the configuration i (SGS
i
).
Definition 5. Simple Goal Set is the set of all proper-
ties that have a simple goal represented by a simple
place or simple transition. e.g., EF p
4
, AG t
9
, etc.
Definition 6. Composed Goal Set is the set of all pro-
perties that have a composed goal represented by a
conjunction of places or transitions or liveness pro-
perties .e.g., EF(p
4
p
5
), AG(t
9
EF p
9
), etc. Al-
gorithm 2 projects Prop
CT L
set and groups their pro-
perties.
Algorithm 2: Grouping operation.
Input: Prop
CT L
;
Output:
n
S
i=1
SGS
i
,
n
S
i=1
CGS
i
;
for each φ Prop
CT L
do
for each configuration C
i
,i=1..n do
if φ is expressed on configuration C
i
then
if ( φ
i
is with a simple goal) then
Insert φ in SGS
i
;
end
if ( φ
i
with a composed goal) then
Insert φ in CGS
i
;
end
end
end
end
Return (
n
S
i=1
SGS
i
,
n
S
i=1
CGS
i
)
ICSOFT 2018 - 13th International Conference on Software Technologies
594
Figure 2 depicts the sorting and the grouping ope-
ration of properties.
Figure 2: Sorting strategy of properties.
3.1.2 Automatic Generation
The algorithm of automatic classification exploits the
structure of properties to be verified and identifies the
possible relationships between them. After that, the
model-checking algorithms assure an optimal guided
and global verification using these relations. In this
work, we focus on the automatic classification of ba-
sic formulas φ
CT L
, φ
TCT L
, and φ
eCT L
. For one formula
φ, if it is not possible to identify any relationships
on any set, then the property will be called the non-
involved property and it will be added to a new set
called non involved. Algorithm 3 identifies the rela-
tionships between properties through five steps. Each
step corresponds to one kind of property identifica-
tion. The negative result of each step takes the process
to the next step. Those steps are:
step1: Identify the internal dominance by
checking the adhesion of simple goal to another
composed goal property in the same configura-
tion.
step2: Identify the external dominance by
checking the membership of simple goal to anot-
her with a composed goal in a different configura-
tion.
step3: Check a property with the same simple goal
from another simple goal set.
step4: Identify the internal composition by
checking the precedence order in the same simple
goal set.
step5: Identify the external composition by
checking the precedence order in the simple goal
set from another configuration.
Algorithm 3: Automatic generation.
Input:
n
S
i=1
SGS
i
,
n
S
i=1
CGS
i
;
Output: Set ClassCT L, non involved;
Set ClassCT L
/
0;
non involved
/
0;
for each configuration C
i
,i=1..n do
for each φ
i
from SGS
i
do
if (ψ CGS
i
/ φ
i
ψ) then
*Insert φ
i
Dom
C
i
ψ into Set ClassCT L;
Update(Set ClassCT L, φ
i
Dom
C
i
ψ);
Remove(φ
i
, ψ);
Break;
end
if (ψ CGS
j
/ φ
i
ψ) then
Update(Set ClassCT L , φ
i
Dom
C
i
,C
j
ψ);
Remove(φ
i
, ψ);
Break;
end
if (ψ SGS
j
/ φ
i
ψ) then
Update(Set ClassCT L, φ
i
Equi
C
i
,C
j
ψ);
Remove(φ
i
, ψ);
Break;
end
if (ψ SGS
i
/ φ
i
above ψ) then
Update(Set ClassCT L, φ
i
Comp
C
i
ψ);
Break;
end
if (ψ SGS
j
/ φ
i
above ψ) then
Update(Set ClassCT L, φ
i
Comp
C
i
,C
j
ψ);
Break;
end
Update (non involved, φ
i
);
end
end
Return (Set ClassCT L, non involved);
For a large-scale system of n configurations, the
automatic classification algorithm has the cost of
O(|n| × |K|), with K is the maximum number of pro-
jected properties in SGS set.
4 EXPERIMENTAL STUDY
4.1 Case Study
To demonstrate the performance and the gain of the
proposed contribution, we use an R-TNCES to mo-
del a sequential system Sys (for example a production
chain), to be denoted by RTN
Sys
= (B
Sys
, R
Sys
). Sys is
composed of 10 physical processes represented by 10
CCs. The behavior module of the system (B
Sys
) is mo-
deled graphically as shown in Figure 3. This model
covers three configurations (C f
1
,C f
2
,C f
3
). It is as-
sumed that every configuration has one control chain
Automatic Properties Classification Approach for Guiding the Verification of Complex Reconfigurable Systems
595
Figure 3: Model with three configurations process.
(C
chain
i
). The control chains describing the physical
process are:
C
chain
1
=(CC
1
,CC
2
,CC
3
,CC
6
,CC
7
,CC
10
),
C
chain
2
=(CC
1
,CC
2
,CC
4
,CC
6
,CC
8
,CC
10
),
C
chain
3
=(CC
1
,CC
2
,CC
5
,CC
6
,CC
9
,CC
10
).
The system model contains 30 states-transitions and
10 input/output events signals. This behavior module
is able to be reconfigured automatically and timely
between the three configurations (C f
i
, i = 1, .., 3), ac-
cording to the environment changes or to user require-
ments. RT N
Sys
can apply six different reconfiguration
scenarios according to the control module R
Sys
, which
are described as follows:
R
Sys
= {(C f
1
,C f
2
); (C f
1
,C f
3
); (C f
2
,C f
1
);
(C f
2
,C f
3
); (C f
3
,C f
1
); (C f
3
,C f
2
)}.
In the next section, we investigate the relations-
hips between CCs in chains to prepare the automatic
generation.
4.2 Example of Relationships
In order to validate the basic behavior of the system
and to guarantee that Sys model satisfies the good re-
quirements, we must ensure the CTL and eCTL based
functional properties. In particular, to ensure the sa-
fety, the liveness and the non-blocking of the system.
For the safety, the system allows only one process to
be executed at any time, i.e., no activation of two CCs
from two different configurations at the same time
and the system must respect the potentiality of each
CC. For the liveness, whenever any process wants to
change the configuration, it will eventually be allo-
wed to do so. For the non-blocking, any active CC is
eventually ended, i.e., a process can always request
to change the current CC. Each control component
is characterized by time constraints, which are lower
and upper limits constraining the execution. Indeed,
we investigate that every CC respects its activation
constraint ensured by the TCTL based temporal pro-
perties.
The above mentioned properties are specified
using CTL, eCTL and TCTL logics, initially not orga-
nized. We apply Algorithm 1 to perform the syntactic
sorting and grouping of those properties, and Algo-
rithm 2 for the projection on Sys configuration. Table
1 resumes the result of these two operations.
By applying Algorithm 3, we give the classifica-
tion of CTL, eCTL and TCTL properties in tables 2,
3 and 4. From the classification of the CTL properties
presented in Tables 2, the guiding of verification of
those properties can be like:
P
2
> P
8
> P
1
> P
9
> P
6
> P
11
> P
5
> P
3
> P
4
> P
10
(2)
ICSOFT 2018 - 13th International Conference on Software Technologies
596
Table 1: The syntactic sorting, grouping and projection of
Prop
Initial
set.
CT L f ormulas
SGS
1
P
1
: EF(p
3
); P
3
: EF(p
9
);P
4
: EF(p
18
).
SGS
2
P
2
: AF(p
4
); P
8
: AF(p
18
).
SGS
3
P
7
: AF(p
4
); P
9
: AF(p
18
); P
10
: EF(p
30
).
CGS
1
P
5
: AG(p
18
AF p
21
).
CGS
2
P
6
: AG(p
18
AF p
24
).
CGS
3
P
11
: AG(p
3
EF p
30
).
eCT L f ormulas
CGS
1
P
1
: AGAt
1
XAF p
3
; P
3
: AGAt
18
XEF p
21
;
P
2
:AGAt
17
XAFEt
18
X p
19
.
CGS
2
P
4
: AGAt
2
XAF p
3
; P
5
: AGAt
18
XEF p
24
CGS
3
P
6
: AGAt
18
XEF p
24
; P
7
: AFAt
18
XAF p
30
.
TCT L f ormulas
SGS
1
P
1
: EF[1, 3]p
3
= 1; P
4
: EF[2, 4]p
6
= 1;
P
9
: EF[4, 12]p
18
= 1; P
5
: EF[3, 9]p
9
= 1;
SGS
2
P
2
: EF[1, 3]p
3
= 1; P
6
: EF[5, 15]p
24
= 1;
P
7
: EF[4, 12]p
18
= 1;
SGS
3
P
3
: EF[1, 3]p
3
= 1; P
8
: EF[5, 15]p
27
= 1
P
10
: EF[6, 18]p
30
= 1;
Table 2: Classification of the CTL properties.
Internal Dominance P
8
Dom
C
2
P
6
External Dominance P
1
Dom
C
1
,C
3
P
11
;
P
9
Dom
C
3
,C
1
P
5
.
Equivalence P
2
Equi
C
2
,C
3
P
7
;
Internal composition P
3
Comp
C
1
P
4
.
Non involved properties
P
10
.
Table 3: Classification of the eCTL properties.
Equivalence P
1
Equi
C
1
,C
2
P
4
.
Internal composition P
6
Comp
C
3
P
7
.
External composition P
3
Comp
C
1
,C
2
P
5
.
Non involved properties
P
2
.
Or like:
P
7
> P
8
> P
1
> P
9
> P
6
> P
11
> P
5
> P
3
> P
4
> P
10
(3)
From the classification of the eCTL properties in pre-
sented Table 3, the guiding of verification of those
properties can be like:
P
1
> P
6
> P
7
> P
3
> P
5
> P
2
(4)
P
4
> P
6
> P
7
> P
3
> P
5
> P
2
(5)
From the classification of the TCTL properties in
Table 4, the guiding of verification of those properties
can be like:
P
1
> P
9
| P
7
> P
4
> P
5
> P
3
> P
8
> P
6
> P
10
(6)
Or like:
P
2
> P
9
| P
7
> P
4
> P
5
> P
3
> P
8
> P
6
> P
10
(7)
Let us assume that we have 100 properties to be ve-
Table 4: Classification of the TCTL properties.
Equivalence P
1
Equi
C
1
,C
2
P
2
;
P
9
Equi
C
1
,C
2
P
7
.
Internal composition P
4
Comp
C
1
P
5
;
P
3
Comp
C
2
P
8
;
External composition P
6
Comp
C
2
,C
3
P
10
.
rified here, and let us assume that the faulty property
can be in different ranges, 0-25%, 25-50%, 50-75%,
and 75-100% respectively. Figure 4 shows a quanti-
tative difference for detection of the faulty property
between the proposed approach and the verification
of layer-by-layer. The benefit of this approach resides
in the early detection of the faulty property.
0
20
40
60
80
100
120
25% 50% 75% 100%
Prop
Faulty properties
Proposed approah Layer-by-layer method
Figure 4: Proposed approach vs Layer-by-layer approach.
As shown in Figure 4, the number of properties
to be checked using layer-by-layer method is average
of two times bigger than using the proposed method.
Thus, avoiding redundancies and ordering relations
decreases the number of properties in the automatic
generation method.
4.3 Discussion
The performance of this classification approach is di-
rectly related to the number of common CCs between
TNCESs. Let us assume that the correctness of each
model needs to satisfy the safety, the liveness, and the
non-deadlock requirements. Let us assume that 10,
11, 29, 40, and 57 represent numbers of CCs in each
TNCES for five different systems, each of which con-
tains 10, 39, 70, 169, and 404 TNCESs respectively.
We assume that each control component is proven to
satisfy at least one property and at most five. Let us
denoted by Γ the reduction percentage based on the
similarity between TNCESs. We assume that Γ is
Automatic Properties Classification Approach for Guiding the Verification of Complex Reconfigurable Systems
597
randomized between 1% and 30% (the average per-
centage). Figure 5 reveals the evolution of the emu-
lated number of properties for RDECSs verification
with the direct verification method and with the pro-
posed one.
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
50000
10 39 70 169 404
Prop
TNCESs
Direct Method Proposed Method
Figure 5: Number of property in the verification.
5 CONCLUSION
This work deals with the automatic classification of
properties oriented to the reconfigurable system veri-
fication using CTL, eCTL and TCTL specifications.
In this paper, we have presented an arrangement of
properties and we have guided model-checking for an
improved verification in term of time and complexity
(number of properties to be verified). This contribu-
tion is considered as a first step before the application
of model checking to reduce as possible the number
of formulas that specifying RDECS verification. We
propose a new technique for the classification of com-
putation tree logic (CTL) properties and the related
automatic generation, which significantly reduces the
number of properties to be verified in reconfigurable
systems models. Besides reducing the number of pro-
perties, applying the factorization technique enables
efficient model checking of the reconfigurable sys-
tems. Classically, we have to check all properties in
blind way, but with the classification of CTL proper-
ties we identify the redundancies and the factorization
between them. Using the contribution of this paper,
we apply the model checking technique on a reduced
space of properties which results in the gain of desig-
ner effort and outperforms time consumption in the
verification process.
This work opens several perspectives; first, we
plan to apply our approach in verification of real-case
studies and to develop an extension of this method for
dealing with reconfigurable distributed behaviors. Se-
cond, we plan to include the artificial intelligence to
guide verification process by using ontologies in the
automatic generation phase.
REFERENCES
Baier, C., Katoen, J.-P., and Larsen, K. G. (2008). Princi-
ples of model checking. MIT press.
Boucheneb, H., Gardey, G., and Roux, O. H. (2009). TCTL
model checking of time Petri nets. Journal of Logic
and Computation, 19(6):1509–1540.
Ghribi, I., Abdallah, R. B., Khalgui, M., Li, Z., Alnowi-
bet, K., and Platzner, M. (2018). R-codesign: Code-
sign methodology for real-time reconfigurable embed-
ded systems under energy constraints. IEEE Access,
6:14078–14092.
Grichi, H., Mosbahi, O., Khalgui, M., and Li, Z. (2017).
New power-oriented methodology for dynamic resi-
zing and mobility of reconfigurable wireless sensor
networks. IEEE Transactions on Systems, Man, and
Cybernetics: Systems, PP(99):1–11.
Idriss, R., Loukil, A., Khalgui, M., Li, Z., and Al-Ahmari,
A. (2017). Filtering and intrusion detection approach
for secured reconfigurable mobile systems. Journal
of Electrical Engineering & Technology, 12(5):2051–
2066.
Karoui, O., Guerfala, E., Koubaa, A., Khalgui, M., Tovard,
E., Wu, N., Al-Ahmari, A., and Li, Z. (2017). Perfor-
mance evaluation of vehicular platoons using webots.
IET Intelligent Transport Systems, 11(8):441–449.
Khalgui, M. and Hanisch, H.-M. (2011). Automatic NCES-
based specification and sesa-based verification of fe-
asible control components in benchmark production
systems. International Journal of Modelling, Identifi-
cation and Control, 12(3):223–243.
Khalgui, M., Mosbahi, O., Li, Z., and Hanisch, H. M.
(2011). Reconfiguration of distributed embedded-
control systems. IEEE/ASME Transactions on Mecha-
tronics, 16(4):684–694.
Lakhdhar, W., Mzid, R., Khalgui, M., Li, Z., Frey, G., and
Al-Ahmari, A. (2018). Multiobjective optimization
approach for a portable development of reconfigura-
ble real-time systems: From specification to imple-
mentation. IEEE Transactions on Systems, Man, and
Cybernetics: Systems, PP(99):1–15.
Meskina, S. B., Doggaz, N., Khalgui, M., and Li, Z. (2017).
Multiagent framework for smart grids recovery. IEEE
Transactions on Systems, Man, and Cybernetics: Sys-
tems, 47(7):1284–1300.
Padberg, J. and Kahloul, L. (2018). Overview of reconfigu-
rable petri nets. In Graph Transformation, Specifica-
tions, and Nets, pages 201–222. Springer.
Starke, P. H. and Roch, S. (2002). Analysing Signal-net
Systems. Professoren des Inst. f
¨
ur Informatik.
Zhang, J., Khalgui, M., Li, Z., Frey, G., Mosbahi, O., and
Salah, H. B. (2015). Reconfigurable coordination of
distributed discrete event control systems. IEEE Tran-
sactions on Control Systems Technology, 23(1):323–
330.
Zhang, J., Khalgui, M., Li, Z., Mosbahi, O., and Al-Ahmari,
A. M. (2013). R-TNCES: A novel formalism for re-
configurable discrete event control systems. IEEE
Transactions on Systems, Man, and Cybernetics: Sys-
tems, 43(4):757–772.
ICSOFT 2018 - 13th International Conference on Software Technologies
598