www.his.se

Verification of an industrial rule-based manufacturing system using

REXAnnMarie Ericsson University of Skövde, Sweden

Mikael Berndtsson University of Skövde, Sweden

Paul Pettersson University of Mälardalen, Sweden

Lena Pettersson Volvo IT, Sweden

www.his.se

This talk is about…

• Formal analysis of rule based applications– Case tools for formal analysis not tailored for analyzing

complex events and rules.

• Experiences from using our approach – Case study of industrial system

• Algorithm for improving performance– Potentially reducing search-space for model-checker

www.his.se

• Errors detected early are cheaper to correct.• Avoid introducing errors

• Remove errors that are introduced as soon as possible

• Complementary to current approaches• Testing can show the presents of fault, not the absence

• Existing methods for generating test cases from formal specifications

Why do I need formal analysis??

It helps you to prevent design errors from entering your system. Errors detected early are cheaper to correct.

www.his.se

Why NOT Formal verification?• Expertise required to create specifications and perform analysis

– Time consuming even for experts

• Expertise needed to create property expressions for verification– Checking requirements usually requires knowledge of e.g. CTL or

regular expressions

• Hard for stakeholders to understand the specification

• CASE tools for formal analysis exist– Not tailored for applications based on rules and events

– Suffer from state space explosions

www.his.se

Seamless Formal Analysis of CEP Applications

UPPAAL(Timed automata model-checker)

Event SpecificationRequirement Properties

Environment

6

www.his.se

The case-study object TUR• System for constructing assembly plans (Volvo IT)

– Converting high-level plans to detailed production plans

– Controls behavior of production plants

• Behavior of TUR depend on – values in incoming telegrams

– database tables

• Assembly plans and constraints stored in database tables

7

www.his.se

High-level plans to detailed production plans

50 type B4 delivered 2008110375 type B5 delivered 20081104…

50 items of type x delivered 2008110375 items of type x delivered 20081104100 items of type y delivered 20081104125 items of type z delivered 20081103…

50 items of type x delivered 2008110375 items of type x delivered 20081104…

100 items of type y delivered 20081104125 items of type z delivered 20081103

8

www.his.se

Developed rulesItem type Amount

Rules 63

Primitive events 50

Complex event conjunctions 8

Complex events disjunctions 4

Data object 30

Database tables 12

www.his.se

Performance

• 34 identified verification properties to check, e.g.– is it possible for rule R1 to execute before rule R2?

– will rule R4 always execute?

• Behavior of TUR depends on values in database tables– Impossible to check behavior for all permutations

– 20 scenarios were identified based on expected behavior

– Each scenario verified for each property in < 1 sec

www.his.se

Preprocessing algorithm• Not all rules and events affect the result of executing a

verification expression– Remove rules that will not affect outcome

P= R2 always executes before R1

{R2,R1}{R2,R1,R3}

Smaller rule-set => Reduced search space

Rules: {R1,R2,R3,R4,R5,R6}

www.his.se

Iterative Verification• Perform verification iteratively during development

– Several errors detected immediately after introduction of a new rule

• Correct a recently introduced rule is easy.– Hard to correct errors that are found late

• Correct a rule depending on other rule and affecting the behavior of other rules are hard

• Changing one rule may have undesirable unexpected consequences

www.his.se

Simulation

• Simulator in REX retrieves step by step information from Uppaal– Simulation of not yet executable rules

– Step by step choices by user

– Traces loaded from verification results

• Good for understanding results from verification– Hard to grasp behavior of the entire rule set

www.his.se

Conclusion• Verifying iteratively

– helps coping with complexity of interacting rules• Using scenarios

– increases ability to verify non-deterministic systems.– Trade off between performance and complete search

• Preprocessing rules– potentially reduces search space

• Using Simulator – Loading results of verification traces enables graphical

view of the results

www.his.se

Thank you!