Form-based PLC modeling and verification method (Part 2)

3. Analyse en verbetering van PLC-model

In het vorige hoofdstuk werd het PLC-modelleringssysteem geïntroduceerd. Volgens deze strategie kunnen we het PLC-systeem abstraheren in een formeel model voor modelcontrole. De geloofwaardigheid van dit model bepaalt dus direct de resultaten van de modelcontrole. Als het model het originele systeem niet volledig dekt (we noemen het kleiner dan het originele systeem), kunnen sommige fouten onopgemerkt blijven; als het echte systeem het model volledig kan dekken, maar het veel toestanden bevat die het originele systeem niet heeft (we noemen het kleiner dan het originele systeem) Het originele systeem is groot), waardoor sommige fouten kunnen ontstaan die in het echte systeem niet bestaan. Dit wordt een pseudofout genoemd. Er zijn dus twee vereiste modelleerstrategieën.

First, in order to find all errors in the system, we should build a model large enough to cover all state original systems; second, the model is required to be as close to the real system as possible. This will not only reduce the state space, but also improve efficiency. Based on the requirements, we will analyze the time interval model. Proposition 1 If the time interval model conforms to the properties, the real PLC system model also conforms. The correctness of Proposition 1 can be concluded from the relationship between the two models. That means that everything that will happen to the real model is contained in the time interval model, the time interval model is larger than the real model. If you can’t find a counterexample by using the time interval model, you can prove the correctness of the real PLC model; on the other hand, if we find a counterexample, we can’t determine whether the real PLC system has errors. That is to say, the converse of Proposition 1 is false. Manual intervention is then required to analyze the counterexample to determine whether it is a spurious error.

The time interval modeling strategy can obtain a summary PLC model, and many studies based on NuSMV also use strategies similar to the time interval model to simulate PLC systems. However, the “time interval model” deviates greatly from the real model and needs to be improved. This deviation is: the “time interval model” does not reflect the characteristics of PLC’s high-speed scanning characteristics and low-speed scanning characteristics of concurrent entities. That is, all environmental changes should be scanned by the high-speed PLC, but the time interval model ignores the high-speed characteristics of the PLC, so changes in the external environment may not be scanned. In response to the above problems, taking into account the physical characteristics of external high-speed scanning and low-speed concurrency, the time interval modeling strategy will be improved by adding a notification waiting mechanism. Based on the interval model, each concurrent state entity must be blocked and wait somewhere after the transfer is completed.Only when the PLC controller has fully scanned at least once, the notification waiting mechanism will

The concurrent entity deletes the block and continues working. Then the transfer is completed. The process of the concurrent entity completing the migration through the notification waiting mechanism is shown in Figure 2:

 t0: Transmission starts, blocks and notifies PLC controller.

 t1-tm: PLC completely scans m times (m in

At least).

 tm 1: The concurrent entity receives the notification PLC and the transfer is completed.

This mechanism ensures that each state change of a concurrent entity can be scanned by the PLC controller at least once. Proposition 2 After adding the notification waiting mechanism, the model becomes a subset of the time interval model.exist

At the same time, the model can also include all situations in the real model. In other words, if a model adds a notification waiting mechanism that conforms to the attributes, the real PLC system model also conforms. Using Proposition 1 to prove Proposition 2 is similar. Through Proposition 2, we can see that the mechanism model still has good properties after adding notification waiting. As mentioned before, abstract system models have two requirements: first, that the real system be completely included, and second, that the model be as close as possible to the real system. The first proposition is to prove that the time interval model includes the real system. As long as model checking tools are used to prove that the abstract model satisfies certain properties, then the real properties of the system will also satisfy this. But this model is not exactly equal to the real model, it should be much larger than the real model. Compared with time interval models, this model further reduces the distance between real systems, greatly reducing the chance of detecting spurious errors.

A model checking tool will give a counterexample that violates the system’s property; it is easy to determine manually whether a counterexample in a real system is true or not. If the error in the original system really exists, then we find a counterexample. Otherwise, the error is because the abstract model is larger than the real system, which is a spurious error. Therefore, although this time interval model is not completely equivalent to the original system, through this model we can judge whether a system satisfies a certain property, and if not we can find a specific counterexample (more checks are still needed to determine whether it is a pseudo error). The model is not equivalent to the original system mainly because there are many factors that are difficult to model in the actual system, some of which may lead to errors. If all factors were modeled, this would result in building a huge model that cannot be checked, or simply cannot be implemented. The time interval model abstracts key factors from the real system and models them, greatly reducing the state space and reducing time complexity. At the same time, through the notification waiting mechanism, the model becomes closer to the real system, which not only reduces the time complexity, but also reduces the pseudo errors mentioned earlier.

NuSMV) check is implemented on the model established above. We formulated a series of conversion rules to build the above model into SPIN’s input language Promela. System attributes also need to be translated into Promela. SPIN puts them together and then performs detection. The PROMELA language is a C-like language and they are semantically similar. So we just give some examples to show the basic concepts of translation. To view detailed information about the PROMELA language, visit www.spinroot.com. We will introduce the three parts of the PROMELA file as input to SPIN.

1) PLC controller code

A PLC controller consists of multiple networks.

The code for the PLC controller is also generated from the network. Of course, before doing this, you should declare the variables you need. Each network has its input and output ports, and each port can be represented by a Boolean expression.We assign the value of the output port through logic

Count all input ports.This is the translation

PLC network method.

X

Schakel JavaScript in je browser in om dit formulier in te vullen.
Voer productgegevens in zoals interfaceconfiguratie, omgeving enz. en andere specifieke vereisten om een nauwkeurige offerte te ontvangen.

nl_NLDutch
nl_NLDutch en_USEnglish ru_RURussian de_DEGerman es_ESSpanish it_ITItalian pt_PTPortuguese fr_FRFrench
Schakel JavaScript in je browser in om dit formulier in te vullen.
Voer productgegevens in zoals interfaceconfiguratie, omgeving enz. en andere specifieke vereisten om een nauwkeurige offerte te ontvangen.