LICENTIATE THE SIS Marcus Lindner Robust industrial automation software: outsets for non-determinism execution and real-time industrial Lindner Robust Marcus automation software: Department of Computer Science, Electrical and Space Engineering EISLAB Robust industrial automation software: outsets for non-determinism and ISSN 1402-1757 ISBN 978-91-7583-571-6 (print) ISBN 978-91-7583-572-3 (pdf) real-time execution Luleå University of Technology 2016 Marcus Lindner Embedded Systems Robust industrial automation software: outsets for non-determinism and real-time execution Marcus Lindner Department of Computer Science, Electrical and Space Engineering Luleå University of Technology Luleå, Sweden Supervisors: Per Lindgren and Valeriy Vyatkin Printed by Luleå University of Technology, Graphic Production 2016 ISSN 1402-1757 ISBN 978-91-7583-571-6 (print) ISBN 978-91-7583-572-3 (pdf) Luleå 2016 www.ltu.se To my brother Andreas iii iv Abstract Studies about the industrial standard IEC 61499 and its relation to the RTFM Model of Computation represent the basis of this thesis. An overview of industrial automa- tion software in general and in the scope of Svenska Kraftnät introduces the subject of software related issues. The thesis focuses on selected properties, which are important for software development to improve the robustness of industrial automation software. Among others, timing is essential due to its importance in real-time applications. An example case of the nuclear power plant Forsmark in Sweden illustrates problems cor- related with timing issues and makes the lack of an overall system modelling (including timing) evident. A review of the relevant industrial standards for software development in industrial applications provides a background for various aspects of software compli- ance to safety requirements. Special attention lies on the standards IEC 61131 and IEC 61499 for industrial software development and their programming and execution model. The presented RTFM framework defines a concurrent model of execution based on tasks and resources together with a timing semantics that was designed from the outset for the development of embedded real-time systems. It can serve as a scheduling and resource management for the run-time environments of industrial applications, while addressing the aforementioned issues. Mappings from the functional layer (IEC 61499 function block networks) and safety layer (PLCopen safety function blocks) to RTFM show the appli- cability and possibility of using IEC 61499 as an overall, distributed, and hierarchical model. A discussion on options for future work presents choices to pursue the second half of the PhD studies. Formal methods for program specification and verification open up an interesting path to further increase the robustness of industrial automation software. v vi Contents PartI–Background analysis 1 Acronyms 3 Chapter 1–Software related issues in industrial automation 7 1.1 Precise non-determinism ........................... 7 1.2 Industrial control ............................... 8 1.3 SvK project (the application) ........................ 9 1.4 Example case: Forsmark ........................... 13 1.4.1 General control system design .................... 13 1.4.2 System characteristics ........................ 15 1.4.3 Scenario 1 ............................... 15 1.4.4 Scenario 2 ............................... 16 1.4.5 Issue evaluation ............................ 18 1.5 Power converter example: concept ...................... 19 1.6 Thesis focus and outline ........................... 20 Chapter 2–Software and safety standards 23 2.1 Safe machine control ............................. 23 2.1.1 NUREG/CR-6463 .......................... 25 2.1.2 DO-178C ............................... 28 2.1.3 IEC 61508(-3), IEC 62061, and ISO 13849-1 ............ 29 2.2 PLCopen TC5 - Safety ............................ 34 2.3 PLC programming with IEC 61131-3 .................... 36 2.4 Distributed control with IEC 61499 ..................... 38 2.4.1 System and device model ....................... 39 2.4.2 Resource model ............................ 40 2.4.3 Function block model ......................... 40 2.4.4 Non-deterministic execution semantics ............... 42 2.4.5 Scheduling function .......................... 43 2.4.6 Events and event queuing ...................... 45 2.4.7 Event and data decoupling ...................... 45 2.4.8 Timing semantics ........................... 47 vii Part II – Enhancing industrial automation software 51 Chapter 3–Real-Time For the Masses complementing IEC 61499 55 3.1 Research article relations ........................... 55 3.2 RTFM implementation of PLCopen safety function block ......... 58 3.3 Power converter example: implementation ................. 62 Chapter 4–Research contributions 69 4.1 Summary of Appended Articles ....................... 69 4.1.1 Article A ............................... 70 4.1.2 Article B ................................ 70 4.1.3 Article C ................................ 71 4.1.4 Article D ............................... 71 4.1.5 Article E ................................ 72 4.1.6 Article F ................................ 72 4.1.7 Article G ............................... 73 4.2 Summary of Related Articles ......................... 73 4.2.1 Article H ............................... 74 4.2.2 Article I ................................ 74 4.2.3 Article J ................................ 75 4.2.4 Article K ............................... 75 4.2.5 Article L ................................ 76 4.2.6 Article M ............................... 77 Chapter 5–Conclusions and future work 79 5.1 Conclusions .................................. 79 5.2 Future Work .................................. 81 References 83 Part III – Articles 85 Article A87 1 Introduction .................................. 89 2 IEC 61499 Execution Semantics ....................... 90 3 Light-weight Scheduling under RTFM-kernel ................ 92 4 Mapping of IEC 61499 to the RTFM-kernel ................ 94 5 Tool-Chain .................................. 96 6 Related Work ................................. 96 7 Ongoing and Future Work .......................... 97 8 Conclusions .................................. 98 Article B 101 1 Introduction .................................. 103 2 Syllabus, Lecture by Lecture ......................... 107 viii 3 Methodsandtools.............................. 114 4 Conclusions and Future Work ........................ 122 Article C 125 1 Introduction .................................. 127 2 RTFM-core Language ............................. 129 3 RTFM-core Compiler ............................. 131 4 Related Work ................................. 136 5 Conclusions .................................. 141 Article D 145 1 Introduction .................................. 147 2 Background .................................. 149 3 Distributed systems in RTFM-core ..................... 156 4 Experiments .................................. 167 5 Related and Future Work . ......................... 172 6 Conclusions .................................. 173 Article E 177 1 Introduction .................................. 179 2 Background .................................. 181 3 RTFM Timing Semantics ........................... 183 4 Timing Semantics for IEC 61499 ....................... 188 5 Conclusions .................................. 193 Article F 197 1 Introduction .................................. 199 2 Background .................................. 200 3 Generic Implementation of RTFM-RT .................... 210 4 Specific Implementations ........................... 213 5 Related work ................................. 215 6 Future Extensions to Hard Real-Time .................... 216 7 Conclusion ................................... 216 Article G 221 1 Introduction .................................. 223 2 Run time Verification ............................. 227 3 Implementation and Evaluation ....................... 232 4 Related work ................................. 235 5 Conclusion and Future Work ......................... 236 ix x Acknowledgments Science is an art that can never be done alone. And so is this work emerged with the help and support of many people. I would like to take the chance to express my gratitude to some of those but cannot mention all who deserve it. All of you, I am not referring to, have my assurance that I did not forget you. First of all, I acknowledge Svenska Kraftnät (Swedish national grid) for providing funding for this research. I deeply hope we go into a future without any kind of nuclear technology because I truly believe the risk is too high. But today it is still part of our society and we have to do our best to limit the risk. I am proud to have the chance to contribute to a better world. Allow me to say a few words directly to my colleagues and friends. • Per Lindgren and Valeriy Vyatkin: Thank you for being patient and ques- tioning supervisors. I know my special character can be difficult to handle but our discussions and your enthusiasm always encourage me. • Jonas Ekman: Thank you for your continuous support of all my ideas and desires. • Alois Zoitl: It was a great pleasure for me when we met the first time at ETFA 2014 after I read a lot about your work. I believe your first visit in Luleå was the beginning of a fruitful collaboration and our friendship. • David Pereira: Per was always speaking highly of you. Your visit in Luleå last year explained why. I look forward to options for collaboration. Your