R-TNCES Rebuilding: A New Method of CTL Model Update for

Reconﬁgurable Systems

Mohamed Ramdani

1,2,3,4

, Laid Kahloul

, Mohamed Khalgui

1,3

and Yousra Haﬁdi

1,2,3,4

LISI Laboratory, National Institute of Applied Sciences and Technology, University of Carthage, Tunis 1080, Tunisia

LINFI Laboratory, Computer Science Department, Biskra University, Algeria

School of Electrical and Information Engineering, Jinan University, China

University of Tunis El Manar, Tunis, Tunisia

Keywords:

Reconﬁgurable Discrete-Event System, Reconﬁgurable Timed Net Condition Event System, Computation

Tree Logic, Model Rebuilding.

Abstract:

This paper deals with improved rebuilding of models in formal veriﬁcation of reconﬁgurable discrete-event

systems (RDESs) modeled by reconﬁgurable timed net condition event systems (R-TNCESs). Automated

computation tree logic (CTL) model update and repair are approaches that extend model-checking to generate

a new correct model that represents the desired behavior. We propose R-TNCES rebuilding method, which is

a formal method that allows both the veriﬁcation and the modiﬁcation of reconﬁgurable models. The proposed

approach generates from an incorrect model a new one that satisﬁes a given CTL formula. First, CTL is deﬁned

to deal with the system functional properties speciﬁcation. A set of transformation rules with an algorithm are

proposed to achieve the rebuilding phase. Finally, platform FESTO MPS is used as a case study to demonstrate

the paper’s contribution. The obtained results show the efﬁciency of the proposed contribution even in large

complex systems.

1 INTRODUCTION

Discrete event systems (DESs) can change their state

in an asynchronous and a nondeterministic way due

to the occurrence of events. The auto-control deploy-

ment in such systems innovates a new class of systems

called: reconﬁgurable discrete event/control systems

(RDECSs), which can work under various conditions:

concurrency, control, communication, etc. Such class

includes manufacturing systems(Zhang et al., 2018),

real time systems (Lakhdhar et al., 2018), and em-

bedded systems (Housseyni et al., 2018), etc. Re-

conﬁguration is the set of internal changes to adapt

the external changes and user requirements (Zhang

et al., 2015) (changes in the structure, functionality,

and control algorithms). In spite of the complex-

ity of RDECSs, model-checking is an effective tech-

nique for the automatic veriﬁcation of those systems.

Model-checking veriﬁes the satisfaction between a

behavior formal model (Petri nets, automaton, etc.)

and a functional property speciﬁcation, which is spec-

iﬁed by a temporal logics (computation tree logic, lin-

ear temporal logic, etc.). In order to deal with recon-

ﬁgurable systems, many formalisms are proposed and

extended. Petri net is the most used formalism de-

veloped to cope with reconﬁgurability (reconﬁgurable

Petri nets (Padberg and Kahloul, 2018)). Reconﬁg-

urable time net condition/event systems (R-TNCES)

are one of their extensions (Zhang et al., 2013).

In the last decade, model-checking is also pro-

gressing and improved to be more efﬁcient in the de-

bugging of errors and their auto-correction. Com-

putation tree logic (CTL) update and repair is one

of this extension, which is a method that modiﬁes

the system model in order to satisfy a given for-

mula. In such a context, many works of system

model modiﬁcation are developed. Ding and Zhang

in (Ding and Zhang, 2007), (Zhang and Ding, 2008)

proposed an algorithm based on ﬁve basic operations

and minimal change criteria. Carrillo and Rosen-

blueth proposed another algorithm and introduced

the protection concept in (Carrillo and Rosenblueth,

2014). Martinez and Lopez proposed a CTL re-

pair methodology for different classes of Petri nets,

(Mart

ınez-Araiza and L

opez-Mellado, 2014) for la-

beled state machines (LSM), (Mart

ınez-Araiza and

opez-Mellado, 2015) for bounded and deadlock free

Petri nets, and (Martinez-Araiza and L

opez-Mellado,

Ramdani, M., Kahloul, L., Khalgui, M. and Haﬁdi, Y.

R-TNCES Rebuilding: A New Method of CTL Model Update for Reconﬁgurable Systems.

DOI: 10.5220/0007736801590168

In Proceedings of the 14th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2019), pages 159-168

ISBN: 978-989-758-375-9

159

2016) for open work-ﬂow nets (oWFN).

The veriﬁcation layer-by-layer proposed in

(Zhang et al., 2013) and the formal veriﬁcation

proposed in (Haﬁdi et al., 2018) are incapable to

automate the correction of a model which does not

satisfy a property formula. The system complexity,

the high number of properties to be checked and the

absence of a technique that facilitates the debugging

task make the veriﬁcation phase of R-TNCESs a hard

task.

In this paper, we deal with the veriﬁcation and

model updating (modiﬁcation) of reconﬁgurable sys-

tems modeled with R-TNCESs. In order to deal

with the absence of CTL model update approaches

for this formalism, we propose a new methodology

called R-TNCESs rebuilding. First, we compute a

Kripke structure model from the behavior module of

R-TNCES. Second, we formulate a CTL formula to

be veriﬁed in the Kripke model, based on the orig-

inal formula written on R-TNCES. Then, the error

will be localized and isolated using the ﬁve primi-

tives of Ding and the minimal change criteria (Ding

and Zhang, 2007). Finally, according to the equiva-

lence between the changes in the Kripke model and

the modiﬁcation instructions of the R-TNCESs for-

malism, we apply the rebuilding of R-TNCES to get

a new model which satisﬁes the given property.

We illustrate the contribution and validate our

methodology through an academic case study FESTO

MPS (Zhang et al., 2013), which is a lab-scale sta-

tion. We use the behavior module of FESTO MPS

to show the performance of the different algorithms

and to check properties of broadcasting and synchro-

nizations. To conﬁrm the result of R-TNCESs re-

building, we use the SESA model checker (Starke and

Roch, 2002). Indeed, SESA is a software to analyze

TNCESs and to compute the exact reachable set of

states.

In this research, we aim to ensure the viability of

the R-TNCES model by checking properties on the

broadcasting and its synchronization. This work con-

tains four main contributions: (i) Providing a general-

ization of the CTL model update from Petri nets for-

malism to a rebuilding problem concerned by correc-

tions in a complex systems (i.e., RDECSs) modeled

by R-TNCESs formalism. In this granularity pas-

sage, we paid attention to the correct abstraction be-

tween formalisms. The classical CTL update, in clas-

sical Petri nets, is a place/transition rebuilding, whilst

the current one rebuilds modular entities (called con-

trol components: CCs) and their connections in the

model which facilitates the on-line intervention and

fault isolation. (ii) Developing an approach for the

model rebuilding. Our approach is able to generate

a new model that satisﬁes requirements speciﬁed by

a CTL formula while respecting the original model

and the minimal changes stated by Ding (Ding and

Zhang, 2007). (iii) Developing an algorithm to com-

pute a Kripke structure from an R-TNCES model, and

an another algorithm to adapt a CTL formula without

losing information. (iv) Demonstrating the impact of

the modular rebuilding in R-TNCESs to isolate the

modular bugs in reconﬁgurable systems.

The paper contains four main sections organized

as follows: In section 2, we present backgrounds and

some preliminary theories. Section 3 analyzes the

semantics of CTL update approach and gives the R-

TNCES rebuilding operation methodology. Section

4 illustrates the approach and algorithms application

through an academic case study. Finally, Section 5

concludes this work and describes our perspectives.

2 PRELIMINARIES

This section presents the basic concepts and notations

used in this paper.

2.1 Reconﬁgurable Time Net Event

Condition Systems

R-TNCESs represent a formalism which was pro-

posed in (Zhang et al., 2013) to specify and ver-

ify reconﬁgurable discrete event control systems

(RDECSs). An R-TNCES RT N is a couple RT N =

(B,R). B is the behavior module such that, B =

(Con f

,...,Con f

) (n conﬁgurations, each one is a

TNCES, possibly redundant). R is the control mod-

ule such that, R = (r

,. ..,r

) (set of reconﬁguration

functions with n,m ∈ N). Formally, the behavior mod-

ule is a tuple, deﬁned as follows.

B = (P, T,F,W, CN,EN, DC,V,Z

) (1)

where, P (resp, T) is a superset of places (resp. transi-

tions), F is a superset of arcs, W : (P×T )∪(T ×P) →

{0,1} maps a weight to a ﬂow arc, CN (resp. EN)

is a superset of condition signals (resp, event sig-

nals), DC is a superset of clocks on output arcs, V :

T → {AND,OR} maps an event processing mode for

every transition, and Z

= (M

), where M

is the

initial marking, and D

is the initial clock position.

Deﬁnition 1. (Control component CC) is a log-

ical software unit (Khalgui and Hanisch, 2011),

which represents the data-ﬂows and actions of sen-

sors/actuators (algorithms, extraction or activation).

Every CC resumes the physical process in three ac-

tions: activation, working, and termination. Figure 1

shows a generic model of a CC.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

160

Control component

(CC)

Starting

transition

Ending

transition

Inputs

event

Output

event

Input

condition

Output

condition

[Min, Max]

Time

interval

Initial

place

Activation

transition

Figure 1: The generic model of a control component.

Deﬁnition 2. (Time Net Condition/Event System

TNCES) is a set of CCs interconnected by signals.

The order of CCs describes the desired behavior of

the TNCES.

2.2 Kripke Structure

Over a ﬁnite set of atomic propositions AP, Kripke

structure M is a 4-tuple M = (S, s

,R,L), such that:

• S is a ﬁnite set of states.

• s

is the initial state.

• R : r ← S × S is a transition relation, i.e., ∀s ∈ S,

∃s

such that (s,s

) ∈ R.

• L : S ← 2

is a label function.

A path π = s

,. .. is an inﬁnite sequence of

states in M from the initial state such that for all i ≥ 0

∃(s

i+1

) ∈ R.

2.3 Computation Tree Logic

The model-checking of R-TNCESs is an automatic

veriﬁcation technique of a system using ﬁnite-state

systems and their reachability graphs. The proper-

ties, to be checked, are speciﬁed using one temporal

logic such as CTL and its extensions. CTL (Baier

et al., 2008) is used to specify the functional prop-

erties. The time is not explicitly expressed using

CTL, but it is possible to say if a property will fre-

quently/infrequently be veriﬁed or will never be ver-

iﬁed. CTL offers facilities for the speciﬁcation of

properties that must be fulﬁlled by the system, like

safety, liveness, reachability, etc. A formula holds in

the system if it is proved true in the initial state of that

system. The set of Computation Tree Logic formu-

las is deﬁned inductively in (Baier et al., 2008) by the

following grammar.

Φ ::= true | a | Φ

∧ Φ

| ¬Φ | ∃ϕ | ∀ϕ (2)

where a is an atomic proposition and ϕ is a path for-

mula with the following syntax (E ≡ ∃ and A ≡ ∀):

ϕ ::= EXΦ | AXΦ | EFΦ | AFΦ | EGΦ | AGΦ | EΦ

UΦ

(3)

where, Φ, Φ

and Φ

are CTL state formulas. Due

to the existence of duality rules in CTL (Baier et al.,

2008), we can omit the path quantiﬁer ∀ (A) and use

CTL existential normal form (ENF). The set of CTL

formulas in ENF is given by:

Φ ::= true | a | Φ

∧ Φ

| ¬Φ | EXΦ | EGΦ | E(Φ

UΦ

)

(4)

2.4 Computation Tree Logic Update

Ding and Zhang have developed a formal approach

for computation tree logic model update based on

minimal change criteria over Kripke structure mod-

els (Ding and Zhang, 2007). CTL model update is

an approach for the automatic veriﬁcation and mod-

iﬁcation of system models. The principle used is to

generate admissible models that represent the correct

design(Zhang and Ding, 2008) in order to repair soft-

ware errors. The model updater functions modify the

models using ﬁve primitives (PU1, .. .,PU5).These

primitives are described in their simplest forms as fol-

lows.

• PU1: Adding a relation.

• PU2: Removing a relation.

• PU3: Changing the label of one state.

• PU4: Adding a state and its associated relations.

• PU5: Removing a state and its associated rela-

tions.

The semantics of the above primitives and of the min-

imal changes principle are detailed in (Zhang and

Ding, 2008).

3 REBUILDING OPERATION

FOR RECONFIGURABLE

MODELS

3.1 Formalization

Given a system model M with s

its initial state and

a CTL formula φ such that (M,s

) 2 φ, the rebuilding

problem can be deﬁned as ﬁnding a new model M

such that (M

)  φ. M

is the repaired model of M,

otherwise, there is a problem in the speciﬁcation of

the model/property (inconsistency). M

must respect

R-TNCES Rebuilding: A New Method of CTL Model Update for Reconﬁgurable Systems

161

the good speciﬁcation and must conserve the good

requirements of the system with minimal changes.

Figure2 illustrates the general problem of checking

and rebuilding.

Model M

CTL formula

to be verified

Satisfaction

Rebuilding M

Re-checking

Checking

Satisfaction Inconsistency

YES

YES NO

Figure 2: General problem.

Rebuilding operation (RO) can be formalized as fol-

low:

RO = (Z

,φ,I) (5)

Where,

• Z

= (m

) is the initial state of the system, such

that m

is the marking of the system and D

is the

clock of the system.

• φ is a CTL formula that speciﬁes a functional

property on the behavior module.

• I is the rebuilding operation instruction chain. I

can be restricted to add/delete components opera-

tions.

According to Ding’s primitives in the CTL update

for the Kripke structure and using the R-TNCES’s

modiﬁcation instructions, we deﬁne the following du-

alities between the above instructions to be deployed

in the rebuilding of reconﬁgurable systems speciﬁed

using R-TNCESs. Table 1 resumes dualities.

Table 1: Equivalence between Ding primitives and R-

TNCES rebuilding modiﬁcations.

R-TNCES rebuilding

modiﬁcations

modiﬁcation

instruction

PU1 Add event signal Cr(ev(t,t

))

PU2 Delete event signal De(ev(t,t

))

PU3 Add/Delete condition

signal

Cr(cn(p,t)) /

De(cn(p,t))

PU4 Add control component Cr(CC))

PU5 Delete control compo-

nent

De(CC))

3.2 TNCESs Rebuilding

Given a TNCES T N and a CTL formula φ, the re-

building operation (RO) consists of synchronization

veriﬁcation between CCs, e.i., checking the syn-

chronization faults between transitions in different

CCs (the broadcasting correctness) then to repair the

TNCES model if necessary. We can resume (RO) of a

TNCES as follows.

1. Structural rebuilding of signals which consists to

enable/disable one control component by adding/

deleting its signals.

2. Update of TNCES (conﬁguration) which consists

of adding/deleting a whole CC (or set of CCs).

We denote by EN(

•

T )/ EN(T

•

)) the set of entering/

exiting events of transition T . Table 2 recapitulates

the above faults and their correction.

3.2.1 Illustrative Example

Let’s consider Z as the TNCES shown in ﬁgure 3.

As a functional property, CC

and CC

should not be

joined in the same execution. Trivially, the CTL for-

mula 6 is not satisﬁed by this TNCES, so that we need

to rebuild the TNCES to be adequate for the required

functional property.

φ = AF(p

→ ¬EF p

) (6)

[1, 3]

Figure 3: illustrative example .

The rebuilding operation RO, in this case, can be

achieved by deleting the synchronization signal be-

tween CC

and CC

. Formally:

RO = (Z,φ, I = (De(ev(t

))) (7)

For TNCES update, let’s suppose that the designer

needs to substitute CC

by CC

and to add a new

process after CC

. Formally, instructions chain of this

RO is described as: I = De(ev(t

)) + De(CC

) +

De(ev(t

)) + Cr(CC

) + Cr(ev(t

)) +

Cr(ev(t

)) +Cr(CC

) +Cr(ev(t

)).

Figure 4 depicts the TNCES update result.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

162

Table 2: Table of synchronization faults and their corrections.

Faulty results ∃t

∈ EN(

•

T )/W (t

,T ) = 0 ∃t

∈ EN(T

•

)/W (T,t

) = 0

Correction Cr(ev(t

,T )) Cr(ev(T,t

))

Explication graphic

Before After

∀t

∈ EN(

•

T )/W (t

,T ) = 0 ∀t

∈ EN(T

•

)/W (T,t

) = 0 ∃t

∈ EN(T )/W (t

) = 1

∀t

Cr(ev(t

,T )) ∀t

Cr(ev(T,t

)) De(en(t

)) +Cr(ev(t

,T ))

Before After

Before

After

[1, 3]

Figure 4: TNCES update illustrative example.

3.3 Generalization of TNCES

Rebuilding

Given M an R-TNCES and Φ a set of CTL formulas

in ENF to be checked. For the veriﬁcation process

of those CTL formulas, we can divide the whole pro-

cess into two steps, so that exactitude of the ﬁrst step

initiates the second, as follows:

1. Check the consistency of the control module and

apply the rebuilding if needed.

2. Check the consistency of the behavior module and

apply the rebuilding if needed.

Rebuilding an ordinary Petri net consists in

adding/deleting place/transition (Carrillo and

Rosenblueth, 2014). Whilst, control module re-

building, in R-TNCESs, consists in enable/disable

one conﬁguration by adding/deleting of signals or

adding/deleting an entire conﬁguration of the control

module (according to the fundamental structure

modiﬁcation instructions of R-TNCES (Zhang et al.,

2013)).

Assumption.1 In this work, we assume that the

control module is not faulty and represents the desired

behavior, i.e., the reachability of each conﬁguration is

covered by the control module.

Assumption.2 Every CC respects the good re-

quirements of the designer and it is not in a faulty

case.

We concentrate on the behavior module response

when a reconﬁguration is requested or an error oc-

curs. In this work, we focus on the deployment of the

second step. Figure 5 illustrates the veriﬁcation steps

of an R-TNCES.

Checking

Properties on

control module

Properties on

behavior module

Rebuild and re-

checking

Stop Inconsistency

Checking

Rebuild and re-

checking

satisfied violated

violated

satisfied

violated

violatedsatisfied

satisfied

Figure 5: The veriﬁcation process of R-TNCES.

R-TNCES Rebuilding: A New Method of CTL Model Update for Reconﬁgurable Systems

163

3.4 R-TNCES Rebuilding

Rebuilding operation (RO) of an R-TNCES reposes

on two basic sub-processes that assure the needed ab-

straction of both model and formula to facilitate the

CTL update process. The ﬁrst one is the computa-

tion of a new Kripke structure model from the behav-

ior module B using Algorithm1. Indeed, each con-

trol component (resp, event signal) in B becomes a

state (resp, relation) in the Kripke structure. The sec-

ond sub-process consists in the transformation of a

CTL formula expressed in R-TNCES to adapt it for

the Kripke structure veriﬁcation. This transformation

preserves path formulas and expresses state’s formu-

las according to their CCs. Algorithm 2 computes the

abstraction of CTL formulas without any loss of in-

formation for the Kripke structure veriﬁcation.

Algorithm 1: Kripke Structure generation.

Input: B =

∑

T NCES;

Output: Sk = (S, s

,R,L);

for each control component CC

,i=1..n do

Create state s

∈ S;

Create label L : s

→ (cc

);

end

for each control component CC

,i=1..n do

if (∃ev(t

)/ t

∈ CC

and t

∈ CC

) then

Create relation (s

) ∈ R;

end

for each control component CC

,i=1..n do

if (∃cn(p

)/ p

∈ CC

and t

∈ CC

) then

Create label L : s

→ (cc

);

end

← s

;/*CC

is the 1

physical process*/

Return (SK);

Given an R-TNCES RT N = (B,R) and a CTL for-

mula φ in ENF, we can deﬁne a six steps methodology

for automatizing the rebuilding of behavior modules

as follows.

1. Transform the behavior module B to Kripke struc-

ture SK using Algorithm 1.

2. Transform the formula φ to adapt the same seman-

tic value in the Kripke structure using Algorithm

3. Check the satisfaction of SK  φ. If SK  φ, then

the model is well speciﬁed, otherwise, go to the

next step.

4. Modify SK according to CTL model update ap-

proach (Zhang and Ding, 2008); action to be su-

pervised by the designer.

Algorithm 2: CTL transformation.

Input: Φ expressed on R-TNCES;

Output: Φ

expressed on Sk;

for each sub-formula φ ∈ Φ do

if (φ is a path formula) then

CTL transformation(φ, Φ

);/*Recursivity*/

end

else

if (φ is a state formula) then

for each p

expressed in φ do

Replace (p

)/p

∈ CC

;

Replace (t

)/t

∈ CC

;

end

Return (Φ

);

5. Re-check the satisfaction of the modiﬁed model

SK  φ. If SK  φ, then the model is well mod-

iﬁed, otherwise, there is an inconsistency in the

speciﬁcation (formula/model or both).

6. Rebuild B using primitives that are equivalent to

those executed in the 4th step. Table 1 presents the

equivalence between the primitives of CTL update

and R-TNCES rebuilding.

Figure 6 summarizes the above steps of the re-

building operation RO for an R-TNCES model.

CTL formula F

CTL update for

SK'Ü SK

Stop

Behavior

module B

Re-Check

SK' |= Y

Check

SK' |= Y

Transformation

Y Ü F

Compute Kripke

structure

SKÜ B

Rebuild B

according to SK'

Satisfied

violated

inconsistence

Satisfiedviolated

Figure 6: Methodology of R-TNCES rebuilding.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

164

[1, 3]

Figure 7: Behavior module B of FESTO MPS.

4 EXPERIMENTAL STUDY

4.1 Case study

To validate and to demonstrate the gain of the pro-

posed contribution, let us consider the R-TNCES

model shown in ﬁgure 7. It is a faulty model of behav-

ior module of FESTO MPS, which is a lab-scale pro-

duction line simulating different functions of a fac-

tory. FESTO MPS is well described and detailed in

(Zhang et al., 2013). FESTO achieves the physical

processes sequentially and executes them in conﬁgu-

rations (Con f ig

,Con f ig

, Con f ig

). It is

assumed that every physical process (i.e., Election,

Convert, Test, Test failed, Elevate, Rotate, Drill1,

Drill2, Drill1 OR Drill2, Drill1 And Drill2, Checker,

Evacuation) is modeled by one control component

(CC) and every conﬁguration Con f ig

has one con-

trol chain (C

chain

). The control chains describing the

physical process are as following.

• C

chain

= (CC

,CC

), when Test f ailed

is executed.

• C

chain

= (CC

,CC

), when Drill1 is executed.

• C

chain

=(CC

,CC

), when Drill2 is executed.

• C

chain

=(CC

,CC

), when workpieces alternatively drilled

Drill1 or Drill2.

• C

chain

=(CC

,CC

), when workpieces intensively drilled

Drill1 and Drill2.

In order to check that the model satisﬁes the good

requirements, we must ensure the CTL based func-

tional properties. In particular, to ensure the prod-

uct quality, every workpiece that fails in the ﬁrst test

(quality test: color, material, and height of work-

pieces) cannot be drilled. To assure the production

of a good product, once the workpiece is rejected at

the quality test, it is not allowed to that workpiece to

proceed to next steps. To check this behavior, we use

the following CTL formula:

Φ := AG(p

→ AF(¬p

)) (8)

This formula in the ENF form is written as follows.

Φ := ¬EF(p

∧ EG(p

)) (9)

First, we need to compute Kripke structure of the

above behavior module using Algorithm 1. The re-

sults result is shown in Figure 8.

Figure 8: Kripke structure SK computation result.

R-TNCES Rebuilding: A New Method of CTL Model Update for Reconﬁgurable Systems

165

[1, 3]

Figure 10: Behavior module B of FESTO MPS after rebuilding.

By applying Algorithm 2, we give the CTL trans-

formation of Φ as follow.

Φ := ¬EF(cc

∧ EG(cc

)) (10)

Formula 10 is proven to be False. We select EG(cc

)

to be checked: each path has a state with cc

in the

model and satisﬁes EG(cc

). (π

= [s

...s

];

= [s

...s

]; π

= [s

...s

]; π

...s

] ; π

= [s

...s

]). Then se-

lect the path which have cc

and cc

(π

...s

]). According to Ding, eventually we

need to update SK. We apply PU 2 to remove the re-

lation (s

). Thus, we obtain a new Kripke model

, which simply states that no transition from state

to state s

is allowed. The result of this update is

depicted in Figure 9.

Figure 9: The new Kripke model SK

Finally, we apply the equivalent R-TNCES re-

building modiﬁcations of PU2 on the module be-

havior to get a new correct module, i.e., we delete

event signal ev(t

) by modiﬁcation instruction

De(ev(t

)). Results os this last step are shown

in Figure 10.

We desire to rebuild the system in order to allow

the behavior module to inject a new physical process

of drilling Drill3. Drill3 must proceed before Drill1

in Con f ig

and out of the system in the other conﬁgu-

rations. This changes must be supervised and veriﬁed.

Simply, this operation can be deployed by adding a

new state s

in SK

using successively primitive PU 2

to remove the relation between s

and s

and PU4 to

add state s

and its associated relations.

For a more complex case, let’s assume that the

maps processing mode V of this R-TNCES works

on V : T → {AND} mode. We must ensure that the

system cannot execute Drill3 at the same time with

ÙØ

Figure 11: Kripke structure SK

after adding the Drill3 op-

eration.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

166

Table 3: Qualitative comparison with some related works.

Work Formalism used Reconﬁguration Model repair

(Zhang and Ding, 2008), Kripke structure No Yes

(Ding and Zhang, 2007).

(Carrillo and Rosenblueth, 2014). Kripke structure No Yes

(Mart

ınez-Araiza and L

opez-Mellado, 2014),

(Mart

ınez-Araiza and L

opez-Mellado, 2015), Petri nets No Yes

(Martinez-Araiza and L

opez-Mellado, 2016).

(Zhang et al., 2013) R-TNCESs Yes No

(Haﬁdi et al., 2018) R-TNCESs Yes No

Our work R-TNCES Yes Yes

another conﬁguration. For this safety condition, s

must contain more information on its label. So we

will change the label of this state using PU3. Figure

11 depicts the new SK

model.

After performing these changes on Kripke model

and applying equivalent R-TNCES rebuilding modiﬁ-

cations, we get the correct model shown in Figure 10.

The exact reachability graph is computed using

the SESA model checker (Starke and Roch, 2002),

thus 85493 sates are obtained as shown in sub-ﬁgure

12(a). The computed graph is ﬁnite and it has no

dead reachable states. SESA is applied automatically

to verify the deadlock and boundedness properties

and it is applied manually to check functional prop-

erties. Firstly, we check that the new model satisﬁes

the property of quality (Φ := AG(p

→ AF(¬p

)) ).

This formula is proven to be True (sub-ﬁgure 12(b)).

Then, we verify that it TNCESs’s update is well done

without system degradation. For this purpose, we ver-

ify the following formula.

AG(EF¬(p

∧ ¬p

)) (11)

(a)

(b)

(c)

Figure 12: A screen-shot on SESA veriﬁcation.

Indeed, whatever a state in the reachability graph,

∧ p

) must not be satisﬁed. The for-

mula is proven to be True (sub-ﬁgure 12(c)). Fig-

ure 12 depicts a screen shot of the model-checking

results.

4.2 Discussion

Table 3 describes a short qualitative comparison be-

tween the proposed contribution and the most recent

related works.

For reconﬁgurable systems, there is no study in

the rebuilding and model correction. However, our

proposed methodology facilitates the process of syn-

chronization properties veriﬁcation. Thus, the clas-

sical veriﬁcation of R-TNCES checks these proper-

ties based on the whole model, contrariwise, the R-

TNCESs rebuilding (RO) provides a veriﬁcation of an

abstract model (Kripke structure) with formal meth-

ods to ensure the correctness.

5 CONCLUSION

This work deals with the automatic rebuilding of a re-

conﬁgurable system modeled with the R-TNCES for-

malism and CTL properties speciﬁcations.

In this paper, we have presented a computation

tree logic model update methodology for reconﬁg-

urable systems modeled with reconﬁgurable timed

net condition/event systems (R-TNCESs) called R-

TNCESs rebuilding. Based on the CTL update model

of the Kripke structure, we deﬁne a method that deals

with CTL formulas and repairs reconﬁgurable sys-

tem models. Our contribution reposes on two fun-

damental techniques. The ﬁrst one is an algorithm

that computes a Kripke structure based on R-TNCES

model. The second one is a new technique to trans-

form a CTL formula expressed on R-TNCESs model

to another one expressed on a Kripke model with the

same veriﬁcation value (a granularity passage). In ad-

R-TNCES Rebuilding: A New Method of CTL Model Update for Reconﬁgurable Systems

167

dition, this work deﬁnes an equivalence between Ding

primitives and R-TNCESs rebuilding modiﬁcation in-

structions. At the end, we conﬁrm the obtained results

of R-TNCESs rebuilding operation by an experimen-

tal case study using SESA tool to validate the ﬁnal

model. Classically, the designer has to repeat the ver-

iﬁcation cycle for each violated functional property,

with this proposition we use the formula to update the

model directly which results in the gain of designer

effort and thus reduces the veriﬁcation time.

This work opens several possible avenues for fu-

ture researches. First, we plan to apply our approach

on real large case studies with different kind of prop-

erties not only with synchronization properties. Sec-

ond, we plan to go further in the granularity degree of

the approach, by taking into consideration more de-

tails of CTL formulas. Finally, we plan to deal with

reconﬁgurable systems with distributed behaviors.

REFERENCES

Baier, C., Katoen, J.-P., and Larsen, K. G. (2008). Princi-

ples of model checking. MIT press.

Carrillo, M. and Rosenblueth, D. A. (2014). Ctl update of

kripke models through protections. Artiﬁcial Intelli-

gence, 211:51–74.

Ding, Y. and Zhang, Y. (2007). System modiﬁcation case

studies. In Computer Software and Applications Con-

ference, 2007. COMPSAC 2007. 31st Annual Interna-

tional, volume 2, pages 355–360. IEEE.

Haﬁdi, Y., Kahloul, L., Khalgui, M., Li, Z., Alnowibet, K.,

and Qu, T. (2018). On methodology for the veriﬁca-

tion of reconﬁgurable timed net condition/event sys-

tems. IEEE Transactions on Systems, Man, and Cy-

bernetics: Systems, pages 1–15.

Housseyni, W., Mosbahi, O., Khalgui, M., Li, Z., and

Yin, L. (2018). Multiagent architecture for distributed

adaptive scheduling of reconﬁgurable real-time tasks

with energy harvesting constraints. IEEE Access,

6:2068–2084.

Khalgui, M. and Hanisch, H.-M. (2011). Automatic NCES-

based speciﬁcation and sesa-based veriﬁcation of fea-

sible control components in benchmark production

systems. International Journal of Modelling, Identiﬁ-

cation and Control, 12(3):223–243.

Lakhdhar, W., Mzid, R., Khalgui, M., Li, Z., Frey, G., and

Al-Ahmari, A. (2018). Multiobjective optimization

approach for a portable development of reconﬁgurable

real-time systems: From speciﬁcation to implementa-

tion. IEEE Transactions on Systems, Man, and Cyber-

netics: Systems, PP(99):1–15.

Mart

ınez-Araiza, U. and L

opez-Mellado, E. (2014). A ctl

model repair method for petri nets. In World Automa-

tion Congress (WAC), 2014, pages 654–659. IEEE.

Mart

ınez-Araiza, U. and L

opez-Mellado, E. (2015). Ctl

model repair for bounded and deadlock free petri nets.

IFAC-PapersOnLine, 48(7):154–160.

Martinez-Araiza, U. and L

opez-Mellado, E. (2016). Ctl

model repair for inter-organizational business pro-

cesses modelled as owfn. IFAC-PapersOnLine,

49(2):6–11.

Padberg, J. and Kahloul, L. (2018). Overview of reconﬁg-

urable petri nets. In Graph Transformation, Speciﬁca-

tions, and Nets, pages 201–222. Springer.

Starke, P. H. and Roch, S. (2002). Analysing Signal-net

Systems. Professoren des Inst. f

ur Informatik.

Zhang, J., Frey, G., Al-Ahmari, A., Qu, T., Wu, N., and

Li, Z. (2018). Analysis and control of dynamic recon-

ﬁguration processes of manufacturing systems. IEEE

Access, 6:28028–28040.

Zhang, J., Khalgui, M., Li, Z., Frey, G., Mosbahi, O.,

and Salah, H. B. (2015). Reconﬁgurable coordi-

nation of distributed discrete event control systems.

IEEE Transactions on Control Systems Technology,

23(1):323–330.

Zhang, J., Khalgui, M., Li, Z., Mosbahi, O., and Al-Ahmari,

A. M. (2013). R-TNCES: A novel formalism for re-

conﬁgurable discrete event control systems. IEEE

Transactions on Systems, Man, and Cybernetics: Sys-

tems, 43(4):757–772.

Zhang, Y. and Ding, Y. (2008). Ctl model update for sys-

tem modiﬁcations. Journal of artiﬁcial intelligence

research, 31:113–155.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

168