Embed Size (px)
Citation preview
Verifying a smart sensor for a crane stability system using formal methods.
Troy HuckleSUPERVISOR: AsPr David Kearney
ASSOCIATE SUPERVISOR Dr Ivan Lee
2
Personal Introduction
• My Name is Troy Huckle• Currently studying LHCP part time.• Employed by Robway Crane Safety Systems Pty Ltd.
Acknowledgment
• I like to thank my supervisor AsPr David Kearney for providing direction and support for thesis. I also like to thank my associate supervisor Dr Ivan Lee for helping with guidance to finish of the thesis. Robway Crane Safety Systems Pty Ltd for being flexible so I could work on this thesis.
4
Thesis Introduction
• What is a crane?
• Cranes are used for lifting and moving objects in construction and other industries.
5
Crane Safety
• Safety issues with cranes- load drop
- boom breakage
- collapse.
- Tip over.
- Property damage.
- People are Injured or killed when things go wrong.
6
Crane Safety
• Safety measures that can be taken- Safety equipment.
- Operator training.
- Electronic safety control.
• Safe Load Indicator (SLI) or Rated Capacity Indicator (RCI)- RCI is the crane safety system controller.
- Micro controller / electronic based system.
- Analog to digital sensor reading.
- Displays information to operator like Safe working load (SWL).
- Drives audio and visual indicators.
7
Crane Safety
• RCI Software requirements- Direct measurement of sensors.
- Load moment measurement.
- Allow crane to work in a safe state.
- Motion cut when in a non safe state.
8
Sensors
• Sensors- What are sensors?
- A sensor transforms information obtains from an object into an electrical signal.
- Load pins /cells.
- Pressure.
- Angle.
- Length.
- Tilt.
• Data obtain from sensors- Voltage.
- current.
- Serial data.
9
Smart Sensor
• Smart Sensors- What are smart sensors?
- Contains intelligence.
- A smart sensor is an integration of a sensor, interface circuitry, network controller and a microprocessor in a single unit. (Da Silva Sa 2005)
• Advantages- Error detecting.
- Predictable behaviour.
- Easy to calibrate and flexible.
- Less error due cable runs.
- Easy installation.
- Can be distributed networked with serial bus.
- Removes analog measurement from RCI.
Smart sensor block diagram
Smart sensor basic block diagram
Microcontroller Serial InterfaceSignal ConverterSensor
11
Safety system
• Eight steps of safety are: (Douglass 1999)
- 1. Identify the hazards.
- 2. Determine the risk.
- 3. Determine safety measures.
- 4. Create safe design.
- 5. Create safety requirements.
- 6. Implement safety.
- 7. assure the safety process.
- 8. Test.
12
Safety system
• Minimise risk in a safety system?- Use of safety critical system design methodology, standards,
guidelines and qualified software.
• Examples are:- MIRSA C (motor industry guideline for safety critical programs
written in C).
- IEC 61508 Functional Safety of Electrical /electronic safety related systems.
- Automated Unit Testing (e.g. LDRA Technology, Inc).
- IAR C compiler MISRA qualified.
- Integration and system testing.
13
Safety system
• IEC 61508 standard has some recommendations to avoid the introduction of faults into a system. (Brown 2000)
- Observations of Guidelines and Standards.
- Project management.
- Structured design.
- Modularisation.
- Use of well tried components.
- Semi-formal methods.
- Checklists.
- Computer aided design tools.
- Simulation.
- Inspection of the hardware or walk through of the hardware.
- Formal Methods.
14
Modeling
• Formal methods • Formal methods are mathematically-based
techniques for the specification, development and verification of software and hardware systems.
• Simulation and model checking can be used to check for faults.
Model checkers
• Model checking software for verification of software.• Holzman (1997) Spin model checker was chosen as
the thesis model checker due to the suitability of it to the thesis topic and easy available.
• Petri nets used for simulation and verification.• Other model checking solutions investigated:
- Goanna a static analysis tool for C/C++ source code based on model checking (Fehnker 2006).
- C-BMC a C-bounded model checker for boundary and static code testing (Johnson 2006).
- Code wizard a commercial compiler analysis for program rules can check against standards (Johnson 2006).
Petri nets• Petri nets was developed by Carl Adam Petri.
• Mathematical defined and graphical step by step process.
• Petri nets are made of arcs, places, tokens and transitions.
• Transitions consume token and produce tokens.P1 P2
P2P1
T1
T1
A
B
Petri nets
• Basic blocks of Petri nets are A)Sequential, B)AND split, C)AND join, D)OR split and EOR join processes.
A
D
CE
B
Petri net model
• Fault Status Petri net model
P4
P7
P5
P8
P10
P11
P6
P1
P2
P9
P3 T5
T8
T6
T9
T4
T11
T1
T10
T2 T3
T7
SET FAULT
Semaphore
CLEAR FAULT
CLEAR STATE
HEALTH FAULT
MESSAGE FAULT
HEALTH & MESSAGE OK
FAULT STATE
Petri net model
• Sensor status & CANBus status
P14
P13
P17
P21
P16
P19
P20
P27
P23
P26
P22
P25
P24
P15
P18
T14
T17
T21
T15
T19
T16
T20
T28
T24
T27
T23
T26
T25
T22
T18
T13
CLEAR STATE
SENSOR FAULT
SENSOR OK
CANBUS FAULT
CANBUS OK
BUFFER MESSAGES
MESSAGE SENT
Semaphore
Spin model checker
• SPIN model checker is used for verification and simulation.
• SPIN is be used to check assertions, unreachable code, deadlocks and safety properties.
• SPIN uses PROMELA language and logic properties in linear temporal logic (LTL).
• Spin model checker is used to check the model states, which could case a failure (Holzman 1997).
JSpin
22
Promela Language• Promela is a verification modelling language.• Design as a specification language and is targeted
for concurrent software systems. • Similar to the C language.• Allows for dynamic creation of processes.• Atomic sequences.
Promela petri net model/* Fault Status Petri Net */
byte p1, p2, p3, p4, p5, p6;byte p7, p8, p9, p10, p11;
init{
p1 = 1; p6 =1; p7 = 1;
do
::atomic { (p1 > 0) -> p1--; p2++};::atomic { (p2 > 0) -> p2--; p3++ };::atomic { ((p2 > 0) && (p6 > 0)) -> p2--; p6--; p4++ };::atomic { ((p3 > 0) && (p6 > 0)) -> p3--; p6--; p4++ };::atomic { ((p4 > 0) && (p7 > 0)) -> p4--; p7--; p5++ };::atomic { (p5 > 0) -> p5--; p1++; p7++; p10++};::atomic { (p3 > 0) -> p3--; p9++};::atomic { (p8 > 0) -> p8--; p1++; p6++; p7++};::atomic { ((p7 > 0) && (p11 > 0)) -> p7--; p11--; p8++ };::atomic { (p9 > 0) -> p9--; p11++ };::atomic { ((p9 > 0) && (p10 > 0)) -> p9--; p10--; p11++ };
od
}
Promela model/* Fault Status */
bool healthFault = false;bool messageFault = false;bool clearFault = true;bool setFault = false;byte semaphore = 1;
active proctype faultStatus(){assert( (clearFault == true) && (setFault == false) && (healthFault == false) && (messageFault == false));assert( semaphore == 1 );do
::atomic{ ( healthFault && clearFault && (semaphore > 0)) ->
semaphore--; clearFault = false;setFault = true;semaphore++;
};
::atomic{ ( messageFault && clearFault && (semaphore > 0)) ->
semaphore--;clearFault = false;
setFault = true;semaphore++;
};
::atomic{(( !messageFault && !healthFault ) && setFault && (semaphore > 0)) ->
semaphore--;clearFault = true;
setFault = false;semaphore++;
};od;}
Validation
• Simulation• Asserts• Non progress• Safety properties.
Safety properties
• Checking safety properties can highlight problems like unreachable states, deadlocks, and other violations.
• The SPIN model checking tool check all states of the model against the safety property claim using a depth first algorithm and identifies where the volitation occurs.
• An example is traffic light. A green and right lights should not occur at the same time and a yellow light follows a green light prior to a red light. These can be easily tested for using property checking.
LTL
• LTL linear temporal logic.
• The LTL symbols used for properties are defined as follows:
- Always, in all cases. - Logical AND. - Always implies that it follows on.
- <> - Eventually. - Logical NOT. - Logical OR.
- U - Until.
•
Properties patterns
• Dwyer(1999) has develop a property specification for finite state verification.
• This pattern methodology can used be represent LTL claims to reduce complexity.
• The pattern mapping and a globally example is given:- (P) - Absence P is False or never occurs.
- (P) - Existence P becomes true or eventually.
- (P) - Universality P is always true.
- <>P U(S P) - Precedence S precedes P or comes before. (P <> S) - Response S responds to P or comes after.
Transforming LTL in Spin
• LTL can be used directly added into Spin.• The LTL symbols used for properties are converted
to be used in SPIN are defined as follows: - Always - []
- AND - &&
- Implies - ->
- Eventually - <>
- Not - !
- OR ||
- Equivalent <->
- Until U
• Example [] (!(Red && Green))
Never Claims
• Spin transforms LTL statement into a never claim.• The never claim file is compiled and then verified
against the model.
Never claims
• Example: [](!(setFault && clearFault)) produces the below code when transformed by Spin.
never { /* !([](!(setFault && clearFault))) */T0_init:
if:: ((clearFault) && (setFault)) -> goto accept_all:: (1) -> goto T0_initfi;
accept_all:skip
}
Verification
Hardware
Hardware block diagram
Microcontroller
Health Monitoring
SPI Flash Memory
CAN Bus Fault Tolerant
JTAGAnalog Input
RS232 Watch Dog Timer
Execition
Power Supplies
Analog Multiplexer
Instrumentation Amplifier
Hardware block diagram
Sensor description
• Connected to the hardware is a dual axis inclinometer.
• This sensor provides analogue X and Y direction voltage output signal.
• The sensor provides a measuring range +- 10 degrees of tilt. This voltage is required to be transformed into digital value and transmitted on a CAN bus in a message packet.
Hardware Schematic
• Analog input, multiplexer and Amplification 1 2 3 4 5 6 7 8
A
B
C
D
87654321
D
C
B
A
Title
Number RevisionSize
A3
Date: 15-May-2009 Sheet of File: E:\SSI\SSI.ddb Drawn By:
R2
2K 1%
R1
2K 1%
+5VEXC
+12VEXC
AGND
R4
2K 1%
R3
2K 1%
A1+
A1-
A2+
A2-
+5VA
AGND
AGND
C3100nF
A1+A2+
A1-A2-
ANA0ANA1
A01
EN2
VSS
3S1A
4
S2A5
S3A6
S4A7
DA8
DB9
S4B10
S3B11
S2B12
S1B13
VD
D14
GN
D15
A116
U5
ADG609
+5VA
F1
500mA
+12V
+12VEXC
AGND
+8VA
R37402R 0.1%
C4100nF
AGND
GAIN 1, 200
R352M2 1%
R342M2 1%
AGND
+5VA
C311nF
C301nF
AGND
AGND
C3247nF
AGND
Q1MJD47R40
470R
+12V
AGND
+12V
C3847uF 35V
AGND
+5VEXC
+3V3REF
C6100nF
AGND
C3647nF
3
41
52
U8TS321ILT
Q2BC847
R44
3R3
R511K
R25
15K 0.1%
R5522K
AGND
R32
1K 1%
C341nF
AGNDAGND
+3V3A
C5100nF
AGND3
41
52
U3OPA340A
R38
2K 1%
R2833K 0.1%
AGND
sAGND
C9100nF
+3V3REF
+12V
C8100nF
C3910uF 35V
AGNDAGND
3V3 Voltage Precision Reference
AGND
AGND
+5VA
VIN3
GN
D2
VOUT4
TRIM5
U11ADR366
AN0
GAIN_250
R4610K 1%
+5VA
>0.4R on resistance
IN14
S1A2
S2A10
D13
D29
S2B7
S1B5
VD
D1
GN
D6
IN28
U6
ADG884
AGND
sAGND
+5VA
R301K 1%
+5VA
R311K 1%
SINGLE_END
DIFF
TP2OFFSET TESTPOINT
TP3+5VEXC TESTPOINT
TP4+3V3REF TESTPOINT
12345
J1A
CON5RW
AGND
10
6789
J1B
CON5RW
R9
0RsAGNDAGND
R4933K 0.1%
AGND
R4247R 1.5W
R4347R 1.5W
R50
2K 0.1%
R39
15K 1%
+3V3REF
L6MMZ2012S102A
L7MMZ2012S102A
L8MMZ2012S102A
L10MMZ2012S102A
R36402R 0.1%
AGND
+5VA
GAIN_1000
R4510K 1%
+5VA
D1
S2
3
IN4
6
U10
ADG802
D1
S2
3
IN4
6
U9
ADG802
R10
0RDGNDAGND
V-
4
VIN-2
VIN+3
VOUT6
REF5
RG1
RG8
+V7
U7
AD623
L3MMZ2012S102A
L9MMZ2012S102A
L1
MMZ2012S102A
L4
MMZ2012S102A
+5VEXC+12VEXCL2
MMZ2012S102A
L5
MMZ2012S102A
R1311K 1%
+5VA
R1321K 1%
AGND
C68100nF
+3V3AD18
BAT54SAGND
Hardware Schematic
• Microcontroller and SPI flash memory1 2 3 4 5 6 7 8
A
B
C
D
87654321
D
C
B
A
Title
Number RevisionSize
A3
Date: 15-May-2009 Sheet of File: E:\SSI\SSI.ddb Drawn By:
VB
AT
1
PC13/TAMPER-RTC2
PC14/OSC32_IN3
PC15/OSC32_OUT4
OSC_IN5
OSC_OUT6
NRST7
VSS
A8
VD
DA
9
PA0-WAKEUP/USART2_CTS/ADC0/TIM2_CH1_ETR10
PA1/USART2_USART2_CTS/ADC1/TIM2_CH211
PA2/USART2_TX/ADC2/TIM2_CH312
PA3/USART2_RX/ADC3/TIM2_CH413
PA4/SPI1_NSS/USART2_CK/ADC414
PA6/SPI1_MISO/ADC6/TIM3_CH116
PA7/SPI1_MOSI/ADC7/TIM3_CH217
PB0/ADC8/TIM3_CH318
PB1/ADC9/TIM3_CH4 19
PB2/BOOT120
PB10/I2C2_SCL/USART3_TX 21
PB11/I2C2_SDA/USART3_RX 22
VSS
_123
VD
D_1
24
PB12/SPI2_NSS/I2C_SMBAI/USART3_CK/TIM1_BKIN25
PB13/SPI2_SCK/USART3_CTS/TIM1_CH1N26
PB14/SPI2_MISO/USART3_RTS/TIM1_CH2N27
PB15/SPI2_MOSI/TIM1_CH3N 28
PA8/USART1_CK/TIM1_CH1/MCO29
PA9/USART1_TX/TIM1_CH230
PA10/USART1_RX/TIM1_CH331
PA11/USART1_CTS/CANRX/TIM1_CH4/USBDM32
PA12/USART1_RTS/CANTX/TIM1_ETR/SPI1_NSS33
PA13/JTMS/SWDIO34
VSS
_235
VD
D_2
36
PA14/JTCK/SWCLK37
PA/JTDI 38
PB3/JTDO39
PB4/JNTRST 40
PB5/I2C1_SMBAI41
PB6/IC1_SCL/TIM4_CH1 42
PB7/I2C1_SDA/TIM4_CH2 43
BOOT044
PB8/TIM_CH3 45
PB9/TIM4_CH4 46
VSS
_347
VD
D_3
48
PA5/SPI1_SCK/ADC515
U17
STM32F103C
DGNDsAGND
+3V3+3V3A
1 23 45 67 89 1011 1213 1415 1617 1819 20
J5JTAG DGND
+3V3
R7010K
R7110K
R7210K
+3V3
DGND
TDO
TDI
TCKTMS
TRST
RST
Y18 MHz
C4927pF
C4827pF
DGND
CS1
S02
WP3
GN
D4
VC
C8
HOLD7SCK 6
SI5
U18AT25F2048
+3V3
DGND
C18100nF
DGND
R6710K
2M x 8 FLASH SPI
VC
C5
GN
D2
MR3 RESET
1WDI4
U19MAX823
DGND
+3V3
C19100nF
DGND
WDI
WATCHDOG & POWER SUPERVISOR
R74
10K
+3V3
RST
MR
R19
0R RSTR7310K
+3V3
R15
0R
R16
0R
R17
0R
R18
0R
DGND
DGND
+3V3
+3V3
R951M
+3V3
CANTXCANRX
R6810K
CANSTBCANERRCANEN
RXD1TXD1
C15100nF
C16100nF
C17100nF
C14100nF
+3V3+3V3A
DGNDAGND
C501uF 10V
AN0
GAIN_250
ANA0
IP FAIL
DIFF
R69
10K
GAIN_1000
WDI
Hardware Schematic
• RS232 and Fault tolerant CANBUS1 2 3 4 5 6 7 8
A
B
C
D
87654321
D
C
B
A
Title
Number RevisionSize
A3
Date: 15-May-2009 Sheet of File: E:\SSI\SSI.ddb Drawn By:
INH1
TXD2
RXD3
ERR4
STB5
EN6
WAKE7
BA
T14
GN
D13
CANL 12
CANH 11
VC
C10
RTL 9
RTH8
U16TJA1054A
R92
560R
R93
560R
DGND
+5V
C11100nF
DGND
R91100K
+5V
R521K
D1GREEN LED
+5V
DGND
R6610K
R6510K
DGND DGND
CANSTB
CANERR
CANEN
CANTX
CANRX
R6310K
R6410K
R6210K
+5V
C1+1
V+2
C1-3
C2+4
C2-5
V- 6
T20UT 7
R2IN8
VC
C16
GN
D15
T1OUT 14
R1IN13
R1OUT12
T1IN11
T2IN10
R2OUT9
U14ADM3202
C460.1uF 35V
C430.1uF 35V
DGND
+3V3
C440.1uF 35V
C450.1uF 35V
DGND
C470.1uF35V
DGND
C10100nF
DGND
DGND
RS232
TXD1
RXD1
123
J3CON3
R94
120R
12345 J4
CANBUS
PGND
CANBUS
+VIN
R13
0R
R11
0RR56
10R
R57
10R
D6SMBJ36A
D5SMBJ36A
DGND DGND
R531K
D2RED LED
+5V
L22MMZ2012R300A
L23MMZ2012R300A
L24MMZ2012R300A
L25MMZ2012R300A
L26FBMH4525HM102NT
L27FBMH4525HM102NT
L21MMZ2012S102A
R59
10R
R58
10R
CANH
CANL
CANH
CANL
C13100nF
+VIN
PGND
D4SMBJ36A
D3SMBJ36A
DGND DGND
2 4
53
U12
SN74AHCT1G04
2 4
53
U13
SN74AHCT1G04
DGND
+5V
+5V
Hardware Schematic
• Power supplies and health check1 2 3 4 5 6 7 8
A
B
C
D
87654321
D
C
B
A
Title
Number RevisionSize
A3
Date: 15-May-2009 Sheet of File: E:\SSI\SSI.ddb Drawn By:
C53
100u
F 63
V
F2
3 A
C54
100u
F 63
V
+VD9
MBRS3100T3
PGND PGNDPGND
R961M
3
21
84
U23ALM293
DGND
+3V3
+12V
R54
1K
DGND
R1008K2 1%
R1082K7 1%
DGND
R99100K 1%
+12V
IP FAIL
C22100nF
DGNDD11
BAS16
+VIN
VCC2
VSW 3
GN
D4
FB 7
SHDN1
SYNC6
VC 8
VIN
5
U21
LT1676IS8
1 2
J6GNDTAB
PGND
L28330uH
C55100pF 50V
C58220pF 50V NPO
D12MBRS1100
DGND
DGND
C562N2F 50V NPO
+5V
R10222K 1%
R10512K1 1%
R20
0R
C23100nF
DGND
DGND
DGND
C59
220u
F 25
V
DGNDDGND
R10436K 1%
R1033K3 1%
C57
1NF
50V
DGND
U24LM4040-2.5
SGN
D16
SW_L15
PGN
D14
VOUT 13
VBIAS12
SHDN11
SS 10
SGN
D9
SGN
D1
VBST2
SW_H3
VIN4
BURST_EN5
VC6
VFB7
SGN
D8
SGN
D17
U26LT3433 DGND
C6410nF
DGND
C600.47uF 50V
C63330pF
C61100nF 50V
C621nF
C65100nF 20V
R11220K 1%
R113
18K 1%
C67100uF 65V
L29330uH
R110
68K
DGND
DGND
DGND
DGND
DGNDDGND
DGND
+V +12V
C66100nF 20V
DGND
R111
320K
R9833K 1%
DGNDDGND
R22
0R
R1016K19 1%
R9733K 1%
DGND
R210R
DGND
+5V
C514u7F 25V X7R
C4010uF 35V
DGNDDGND
+3V3
3V3 500mA POWER SUPPLY
VIN1
GN
D3
VOUT 2
U20LF33ABDT-TR
C20100nF
DGND
3V3 Analog POWER SUPPLY
10V Power Fail Comparator
5V 1A POWER SUPPLY
12V 100mA Min POWER SUPPLY
5VA Analog POWER SUPPLY
D10SMCJ36CA
+VIN
TP8+12V TESTPOINT
TP6+3V3 TESTPOINT
TP7+5V TESTPOINT
TP5GND TESTPOINT
+5VA
DGNDDGND
C4110uF 35V
C524u7F 25V X7R
+12V
DGND
C21100nF
DGND
Q3MJD47R41
470R
+12V
AGND
+12V
+3VA
+3V3REF
C24100nF
AGND
C3747nF
3
41
52
U25TS321
R109
22K
AGND
C4210uF 35V
C25100nF
AGND
VIN1
GN
D2
VOUT 5
ON/OFF3
U22LP2980
R106100R
R107100R
R23
0RDGNDPGND
D15
BAT54HT
D16BAT54HT
D14
B220A
D13B220A
D17BAV99
+3V3
+3V3A
PGND
VIN8
GN
D2
VOUT1
GN
D3
GN
D6
GN
D7
U31MC78L08
+8VA
DGND
C7010uF 35V
C69100nF
DGND
DGND
+12V
C714u7F 25V X7R
DGND
Hardware PCB
• 4 Layer PCB
Outcomes
• Model of smart sensor- Petri net model developed.
- Promela model developed.
- Simulation of the model.
- LTL safety properties developed.
- A verified Promela model using the Spin model checker.
• Hardware smart sensor- A hardware schematic and parts list.
- A electronic printed circuit board layout.
Conclusion
• Design methodology, standards, guidelines and qualified software can be used to minimise risk in a safety critical system.
• Formal methods like model checking can be used to check for software faults and to verify a safety system.
• Introduction of faults can be reduced by using Spin model checker.
• Modelling of a system can provide useful information on a system prior to development of the system.
Future Work
• Graphical tool suited to safety critical applications. • Auto translate graphical model into Promela language and
Translation of Promela language into C language.
44
Questions?
• Questions?
References
• Brown, S 2000, 'Overview of IEC 61508. Design of electrical/ electronic/ programmable electronic safety-related systems', Computing & Control Engineering Journal, vol. 11, no. 1, pp. 6-12.
• Da Silva Sa, J, da Silva, JJ, Wanzeller, MG & da Rocha Neto, JSAdRNJS 2005, 'Monitoring of Temperature Using Smart Sensors Based on CAN Architecture', paper presented at the Electronics, Communications and Computers, 2005. CONIELECOMP 2005. Proceedings. 15th International Conference on.
• Douglass, BP 1999, Doing Hard Time: Developing Real-Time Systems With Uml,
Objects, Frameworks, and Patterns, Addison-Wesley Professional. • Dwyer, MB, Avrunin, GS & Corbett, JC 1999, 'Patterns in property specifications
for finite-state verification', Software Engineering, 1999. Proceedings of the 1999 International Conference on, pp. 411-420.
• Holzmann, GJ 1997, 'The model checker SPIN', Software Engineering, IEEE Transactions on, vol. 23, no. 5, pp. 279-295.
• Johansson, KH, Torngren, M & Nielsen, L 2005, 'Vehicle Applications of Controller Area Network', New York, NY: Birkhauser Boston, Inc, 2005., pp. 741-765.
References
• Saha, I & Roy, S 2007, 'A Finite State Analysis of Time-Triggered CAN (TTCAN) Protocol Using Spin', Proceedings of the International Conference on Computing: Theory and Applications, pp. 77-81.
