UPPAAL The Long Road from Theory to Industrial Impact

1
UPPAALThe Long Road from Theory to Industrial
Impact

• Frits Vaandrager
• fvaan_at_cs.ru.nl

2
Overview

• What is Model Checking?
• History Impact
• Early Days
• Engine
• Scheduling Planning
• Current Projects
• Conclusions

3
Turing Award 2007 forModel Checking!!!
Ed Clarke
Allen Emerson
Joseph Sifakis
4
What is Model Checking?
System Description Automata A
Yes!
Model Checker
A sat F
No! Diagnostic Information
Requirement Specification F
89
90
93
94
95
97
98
99
5
Example Gossiping Girls Problem

• Six girls all have a gossip of their own.
• They call each other over the phone. Whenever
  two girls talk they exchange all gossips they
  know.
• How many calls are needed before every girl
  knows every gossip?

6
Transition System
7
Temporal Logic
8
Solution Model Checker
9
Hybrid Real Time Systems
Computer Science
Control Theory
sensors
Task
Task
Task
Task
actuators
Controller Program Discrete
Plant Continuous
Eg.
Pump Control Air Bags Robots Cruise
Control ABS CD Players Production Lines
Real Time System A system where correctness not
only depends on the logical order of events but
also on their timing!!
10
History of UPPAAL
TAU CCS Modal Transition Systems Refinements Mod
al Mu-Calculus Explicit State Representation Prolo
g
1989
1993
1995
UPPPAAL Timed Automata TCTL Zones C Java
EPSILON TCCS Timed Refinements Timed
Mu-Calculus Regions Prolog
11
Contributors

• _at_UPPsala
• Wang Yi
• Paul Pettersson
• John Håkansson
• Anders Hessel
• Pavel Krcal
• Leonid Mokrushin
• Shi Xiaochun

• _at_AALborg
• Kim G Larsen
• Gerd Behrman
• Arne Skou
• Brian Nielsen
• Alexandre David
• Jacob I. Rasmussen
• Marius Mikucionis
• Thomas Chatain

• _at_Elsewhere
• Emmanuel Fleury, Didier Lime, Johan Bengtsson,
  Fredrik Larsson, Kåre J Kristoffersen, Tobias
  Amnell, Thomas Hune, Oliver Möller, Elena
  Fersman, Carsten Weise, David Griffioen, Ansgar
  Fehnker, Frits Vaandrager, Theo Ruys, Pedro
  DArgenio, J-P Katoen, Jan Tretmans, Judi Romijn,
  Ed Brinksma, Martijn Hendriks, Klaus Havelund,
  Franck Cassez, Magnus Lindahl, Francois
  Laroussinie, Patricia Bouyer, Augusto Burgueno,
  H. Bowman, D. Latella, M. Massink, G. Faconti,
  Kristina Lundqvist, Lars Asplund, Justin
  Pearson...

12
UPPAAL 4.0
13
UPPAAL 4.0

• Graphical Simulator
• visualization and recording
• inexpensive fault detection
• inspection of error traces
• Message Sequence Charts
• (Gannt Charts)

14
UPPAAL 4.0

• Verifier
• Exhaustive automatic checking of
  requirements
• .. including validating, safety, liveness,
  bounded liveness and response
  properties
• .. generation of debugging information
  for visualisation in simulator.
• Optimal scheduling for cost models

15
Impact
Google UPPAAL 134.000 SPIN Verifier
242.000 nuSMV 57.700 gt 1.500
Google Scholar Citations (Rhapsody/Esterel lt
3.500)
16
Impact
Company Downloads Mecel Jet Symantec SRI Relogic R
ealwork NASA Verified Systems Microsoft ABB Airbus
PSA Saab Siemens Volvo Lucent Technologies
17
Impact
Google UPPAAL 134.000 SPIN
103.000.000 SMV 4.790.000
More Google SPIN Verifier 242.000 nuSMV
57.700
Even More Google SPIN, UPPAAL
23.900 SPIN, SMV 83.000 UPPAAL, SMV
11.300 All 3 876
18
UPPAAL Branches
TIGA
Controller synthesis
Optimal scheduling
CORA
Testing
TRON
Verification
CLASSIC
19
Verification The Early Days
CLASSIC

• A good beginning is useful

20
First official UPPAAL presentation
Wang Yi, TACAS, Aarhus, April 1995
Johan Bengtsson Kim Larsen Fredrik Larsson Paul
Pettersson Wang Yi
21
Application
The Philips Audio Protocolwith collision
David Griffioen and some Scandinavian friends.
22
Application
Bounded Retransmission Protocol

• Pedro DArgenio
• Joost-Pieter Katoen
• Theo Ruys
• Jan Tretmans

23
Application
Scheduling wafer production at ASML
Martijn Hendriks in Cyprus
24
Some UPPAAL Groupies
Frits Vaandrager
25
The Engine
26
Datastructures for Zones

• DBM package
• Minimal Constraint Form RTSS97
• Clock Difference Diagrams CAV99
• PW List SPIN03

27
To Store or Not To Store
Behrmann, Larsen, Pelanek 2003
117 statestotal ! 81 statesentrypoint ! 9
states
Time OH less than 10
Audio Protocol
28
Symmetry Reduction

• Exploitation of full symmetry may give factorial
  reduction
• Computation of canonical state representative

Formats 2003
Martijn Hendriks
29
D-UPPAALGerd Behrmann, Thomas Hune, Frits
Vaandrager

• Distributed implementation of UPPAAL on
  PC-cluster CAV'00, PDMC'02, STTT'03.
• Applications
• Synthesis of Dynamic Voltage Scaling strategies
  (CISS).
• Ad-hoc mobile real-time protocol (Leslie Lamport)
  - 25GB in 3 min!
• Running on NorduGrid.Local cluster 50 CPUs and
  50GB of RAM
• To be used as inspiration for verification GRID
  platform within ARTIST2 NoE.

30
D-UPPAALGerd Behrmann, Thomas Hune, Frits
Vaandrager

• Distributed implementation of UPPAAL on
  PC-cluster CAV'00, PDMC'02, STTT'03.
• Applications
• Synthesis of Dynamic Voltage Scaling strategies
  (CISS).
• Ad-hoc mobile real-time protocol (Leslie Lamport)
  - 25GB in 3 min!
• Running on NorduGrid.Local cluster 50 CPUs and
  50GB of RAM
• To be used as inspiration for verification GRID
  platform within ARTIST2 NoE.

31
UPPAAL 1995 - 2001
Every 9 month 10 times better performance!
Dec96
Sep98
3.x
32
Optimal Scheduling
CORA
33
SIDMAR Steel Production Plant
Crane A
Machine 2
Machine 3
Machine 1

• A. Fehnker RTCSA99,
• T. Hune, K. G. Larsen,
• P. Pettersson DSV00
• Case study of Esprit-LTRproject 26270 VHS
• Physical plant of SIDMARlocated in Gent, Belgium
• Part between blast furnace and hot rolling mill
• Objective model the plant, obtain schedule
  and control program for plant

Lane 1
Machine 4
Machine 5
Lane 2
Buffer
Crane B
Storage Place
Continuos Casting Machine
34
Ametist
2002-2005
35
Priced Timed Automata
Behrmann, Brinksma, Fehnker, Hune, Larsen,
Pettersson, Romijn, Vaandrager Rasmussen ..
Bouyer, Cassez, Nicolas
36
Example Aircraft Landing
Planes have to keep separation distance to avoid
turbulences caused by preceding planes
37
Example Aircraft Landing
x lt 5
x gt 4
4 earliest landing time 5 target time 9 latest
time 3 cost rate for being early 1 cost rate for
being late 2 fixed cost for being late
x5
land!
cost2
x lt 5
x lt 9
cost3
cost1
x5
land!
Planes have to keep separation distance to avoid
turbulences caused by preceding planes
38
Using Heuristics
Try to schedule planes in the order of their
preferred landing times
39
Aircraft Landing Problem
runways
Benchmark by Beasley et al 2000
40
AXXOM Case study
Laquer Production Scheduling

• 3 types of recipes
• for uni/metallic/bronce
• use of resources, processing times, timing
• 29 (73, 219) orders
• start time, due date, recipe
• extensions
• delay cost,storage cost,setup cost
• weekend, nights

Behrmann, Brinksma, Hendriks, Mader 16th IFAC
World Congress
41
Resources
Axxom

• 2 mixing vessels for uni lacquers
• 3 mixing vessels for metallic/bronce
• 2 dose spinners
• 1 dose spinner bronce
• 1 disperging line
• 1 predisperser
• 1 bronce mixer
• 2 filling lines
• lab (unlimitted)

42
Recipes
UPPAAL template for metal
Axxom
43
Instantiated Model
Axxom
State Space Explosion
Heuristics !! Guiding Pruning
44
Heuristics
Axxom

• Nice heuristics
• non-overtaking
• orders of the same recipe cannot overtake each
  other
• non-laziness
• a process that needs an available resource will
  not waste time if its is not claimed by others
  (a.k.a. active scheduling)
• Cut-and-Pray heuristics
• greediness
• a process that needs an available resource will
  claim this resource immediately
• reducing active orders
• the number of concurrent orders is restricted
  (number of critical resources can give an
  indication)

45
Results Extended Case
Axxom
storage, delay and setup costs, working hours
Order of magnitude faster than MILP, GAMS/CPLEX
Competitive with Orion-pi results
46
Current Projects

• Towards industrial use

47
Compositional Abstraction
Jasper Berendsen, Biniam Gebremichael, Miaomiao
Zhang, FV
48
Compositional Abstraction

• weakening guards invariants
• chaos abstraction

x3
Host 1
Host 2
Host 3
Host n
49
Compositional Abstraction

• weakening guards invariants
• chaos abstraction

x3
Chaos
Host 1
Host 2
Host 3
Host n
50
Use of Uppaal in the Classroom

• Roelof Hamberg, FV

c10.l upperbound on waiting time for entering
critical section in Peterson's mutual exclusion
algorithm with 2 processes strengthening of
cO(l) bound of Lynch
51
Use of Uppaal in the Classroom

• Roelof Hamberg, FV

c10.l upperbound on waiting time for entering
critical section in Peterson's mutual exclusion
algorithm with 2 processes strengthening of
cO(l) bound of Lynch
52
ESI Octopus Project with Oce
Georgeta Igna, FV
Design of adaptive data Path in Copiers/Printers
Challenges problem size, hybrid phenomena, timed
games,..
53
FP7 Quasimodo Project
Analysis of Wireless Sensor Networks of Chess
David Jansen, Faranek Heydarian, Julien
Schmaltz, FV
Challenges probabilities, hundreds of nodes,
dynamic network,..
54
NWO Project ARTS
Faranek Heydarian, FV
Abstraction Refinement for Timed Systems
Challenge Counterexample guided abstraction
refinement
55
Gerd Behrmann
56
Conclusion
Process Algebra
Industry

• Tools indispensable for transfer
• Tools are only first steps
• Tools must fit industrial tool chain and
  development process (UML, Matlab/Simulink,
  Rhapsody, visualSTATE, Scade)
• Involve several academic teams!
• Collaborate with end-users!

• State space explosion remains major challenge
• Collaborate with researchers closer to end-users
  than you
• Control Theory
• Hardware
• Expand scope of technology
• Verification ? Testing
• Verification ? Optimization

Centers of Competence for CISS, ESI, ..