Research Article  Open Access
Modeling and Verification of Reconfigurable and EnergyEfficient Manufacturing Systems
Abstract
This paper deals with the formal modeling and verification of reconfigurable and energyefficient manufacturing systems (REMSs) that are considered as reconfigurable discrete event control systems. A REMS not only allows global reconfigurations for switching the system from one configuration to another, but also allows local reconfigurations on components for saving energy when the system is in a particular configuration. In addition, the unreconfigured components of such a system should continue running during any reconfiguration. As a result, during a system reconfiguration, the system may have several possible paths and may fail to meet control requirements if concurrent reconfiguration events and normal events are not controlled. To guarantee the safety and correctness of such complex systems, formal verification is of great importance during a system design stage. This paper extends the formalism reconfigurable timed net condition/event systems (RTNCESs) in order to model all possible dynamic behavior in such systems. After that, the designed system based on extended RTNCESs is verified with the help of a software tool SESA for functional, temporal, and energyefficient properties. This paper is illustrated by an automatic assembly system.
1. Introduction
A reconfigurable manufacturing system (RMS) is designed at the outset for rapid change in structure, as well as in hardware and software components, in order to quickly adjust production capacity and functionality within a part family in response to sudden changes in market or in regulatory requirements [1]. A RMS should be designed with several configurations (behavior modes) to, respectively, meet different production requirements in various conditions. There are two types of reconfigurations: static and dynamic reconfigurations. Generally, a static reconfiguration is applied offline to modify a RMS extensively such as adjusting architecture of physical systems and removing obsoleted machines, whereas a dynamic system reconfiguration, to switch a RMS from one configuration to another at runtime, is applied with the aim of faulttolerance or actively changing system behavior modes [2, 3]. This paper focuses on dynamic RMSs.
Traditionally, manufacturing is an energyintensive process, using motors, steam, and compressed air systems to transform raw materials into durable goods and consumer products [4–6]. Recent research shows that switching machines of a manufacturing system into their energyefficient modes when they are idle during production can make considerable contribution to the reduction of energy demand and thus can reduce carbon footprint as well as operating costs [7–15]. This paper takes the advantage of dynamic reconfigurations of machines of a RMS between their working modes and energyefficient modes as a way of reducing system energy consumption. A RMS with such energyefficient operations is called a reconfigurable and energyefficient manufacturing system (REMS).
REMSs can be abstracted as reconfigurable discrete event systems (DESs) when only their logic behavior properties are investigated. In this paper, a reconfiguration is called a local reconfiguration, if it is applied for switching a machine of a REMS between its working mode and energyefficient mode. A reconfiguration is named a global reconfiguration if it is applied for switching a REMS between different configurations.
A REMS should be able to reconfigure itself smoothly due to changed inner/outer environments at runtime. Meanwhile, normal unreconfigured events should go on occurring whenever they meet their occurrence preconditions. However, uncontrolled concurrence of reconfiguration events and normal events may cause faults such as deadlocks and overflow [16–19]. Therefore, the formal verification is of great importance during design stages.
Petri nets [20, 21] have found an extensive application to discrete event systems [22, 23], including automated flexible manufacturing systems [24–28] and reconfigurable systems [29]. Reconfigurable timed net condition/event systems (RTNCESs) [30, 31] are reconfigurable extensions of timed net condition/event systems (TNCESs) [32, 33]. TNCESs [34, 35] have a visual graph expression, a clear modular structure, and an exact mathematical definition inherited from Petri nets [36–40]. In addition, they have a strong analysis software tool: SESA (http://homepages.engineering.auckland.ac.nz/vyatkin/tools/modelchekers.html) [41]. System behavior properties, such as state/event trajectories and temporal requirements, can be specified by Computation Tree Logic (CTL), extended CTL (eCTL), and timed CTL (TCTL) [42–44] before being checked by SESA automatically. If a property is satisfied by the system, the model checker will return “true”. Otherwise, a counterexample will be returned. Therefore, TNCESs have been widely applied in verification and validation of industry control systems especially for manufacturing systems [45–47]. The verification of a RTNCES can be performed with the assistance of SESA [30, 31].
However, RTNCESs cannot fully meet our requirements for a REMS. In a RTNCES, reconfiguration functions model system reconfiguration events and transitions model normal events. However, the concurrence of reconfiguration functions and transitions is forbidden in a RTNCES, which is in fact inconsistent with system requirements of REMSs. As a result, formal verification of such complex systems cannot be performed.
Motivated by the fact aforementioned, this paper extends RTNCESs. First, the reconfiguration functions of RTNCESs are assigned with action ranges and concurrent decision functions. After that, they are divided into two types according to their action ranges: major and minor reconfiguration functions. The major ones are used to model global reconfiguration events, whereas the minor ones are applied to model local reconfiguration events. Accordingly, the dynamics of RTNCESs is updated for these extensions such that the concurrence of reconfiguration events and normal events can be conditionally allowed to guarantee the system correctness. Afterwards, an implementation method for an extended RTNCES is developed. Finally, the software tool SESA is applied to check system functional, temporal, and energyefficient properties. An automatic assembly system is used to illustrate this work.
The paper is organized as follows. The system specification of REMSs and the applied automatic assembly system are depicted in Section 2. The drawbacks of RTNCESs on analyzing REMSs and the proposed extended RTNCESs are described in Section 3. The formal verification of a REMS based on extended RTNCESs is illustrated in Section 4. Finally, Section 5 concludes this paper and briefly presents further studies.
2. Reconfigurable and EnergyEfficient Manufacturing Systems
This paper treats a reconfigurable and energyefficient manufacturing system (REMS) as a reconfigurable discrete event control system. This section presents system specification and interesting system dynamics before it illustrates them with an automatic assembly system.
2.1. System Specification
A REMS is designed with a set of configurations to meet various requirements in different execution environments. A configuration is defined as where is a set of all activated components in , defines the structure, that is, the connection relationship and the communication protocol among components of , and denotes the set of all global variables and parameters of .
A REMS is denoted bywhere is the set of configurations and is the reconfigurable controller dealing with system reconfigurations.
There are two types of system reconfigurations in a REMS: global and local reconfigurations. The former ones are applied for switching system configurations. The latter ones are applied for switching an activated component between its working mode and energyefficient mode when the system is in a particular configuration.
A REMS starts running as described in one of these configurations. After that, it should be able to change into other configurations smoothly due to the detection of component faults or other welldefined conditions. In addition, in each configuration, local reconfigurations can be applied to components such that the components can reconfigure themselves into their energyefficient modes to save energy when they are idle and turn back to their working modes when the system needs them.
Dynamics of a REMS can be described by the evolution of system states. The evolution is caused by the occurrences of events events. A REMS includes three types of normal events, local reconfiguration events, and global reconfiguration events.(1)If a normal event occurs, the system changes its state within its current configuration.(2)If a local reconfiguration event occurs, a component of current configuration switches into its energyefficient mode or switches back into its working mode.(3)If a global reconfiguration event occurs, the system switches into another configuration.
Meanwhile, during a global or local reconfiguration, if normal events meet their occurring conditions and they are not modified by the occurring reconfiguration events, they should go on occurring. However, this kind of concurrence brings safety threat to the system, since they may cause unboundedness, deadlocks, and even other functional or temporal failings.
2.2. Running Example
An automatic assembly system, denoted by AAS, is applied to illustrate works presented in this paper. AAS includes three workstations (, , and ) and four robots (, , , and ). It is assumed that robots are high energy consumption machines. The respective time consumption of , , and to finish a machining task is 40 time units, 30 time unites, and 50 time unites. The time consumption of both and to finish a task is 20 time units. The time consumption of both and to finish a task is 25 time units. The default working process diagram of AAS is shown in Figure 1.
The main function of AAS is to assemble machine parts into a subassembly of a vehicle, to be marked by . Robots and move machine parts from the input into AAS, transfer machine parts between workstations, and remove trashy machine parts to the output. Dotted arrows in Figure 1 are used to denote the movements of machine parts during an assembly process. On the other hand, is shifted along , , and by robots and . Solid arrows in Figure 1 are used to denote the movement of . To make it clear, , and are used to denote positions where machine parts or should be during an assembly process. The main assembly process is briefly described by the following three steps.(1)The tobeworked subassembly is shifted from input to by . A machine part is delivered to from the input . After that, and are preprocessed on . Then, the preprocessed is moved to automatically. The preprocessed is moved to automatically before being moved to position by .(2) is transported to from by . Then, a second preprocess for is done by . After that, is shifted to from by .(3)A machine part is delivered to by . Then, starts the assembly after is in , preprocessed is in , and is in . After the assembly, the machined is moved out by . Two other trashy machine parts are removed out of AAS by and , respectively.
It is assumed that four behavior modes are designed for AAS. Their work processes are illustrated as follows.(i): is the default mode as depicted in Figure 1, where all the robots are applied.(ii): is a responding mode when breaks down, where should update itself to perform the function of .(iii): is applied when breaks down during the execution of , where the work of has to be done by .(iv): is applied when both and break down, where only and are applied. In this case, should cover the function of as in and should cover the function of as in .
In each behavior mode, the applied robots should be able to reconfigure themselves into their energyefficient modes when they are idle and reconfigure themselves back into their working modes when they have new tasks. A local reconfiguration for switching a robot from its working mode to its energyefficient mode consumes one time unit. Likewise, a local reconfiguration for switching a robot from its energyefficient mode back to its working mode consumes one time unit, as well.
To avoid the halt of a continuous production line, possible dynamic reconfigurations applied for switching AAS between these behavior modes are shown in Figure 2. The solid arrows denote global reconfigurations and dotted ones denote local reconfigurations.
It is assumed that a robot consumes one energy unit per time unit when it works in its working mode. However, it only consumes 30% energy units per time unit when it works in its energyefficient mode. Note that the numerical value “30%” is an assumption by the authors to facilitate the quantitative analysis on energyefficient operations. It does not come from any literature on industry systems.
Obviously, the possible reconfiguration events of AAS can occur simultaneously with many normal events in it. For example, when is being modified by a global reconfiguration or being switched into its energyefficient mode, only its own work needs to stop for a while and the workstations and other running robots should do their jobs unaffectedly.
3. Extended RTNCES
Reconfigurable timed net condition/event systems (RTNCESs) [30, 31] are extensions of timed net condition/event systems (TNCESs) [34, 35]. Reconfiguration functions of RTNCESs can be used to model global reconfiguration events of REMSs. However, they are not proper to model local reconfiguration events of REMSs directly. In addition, the concurrence of normal events and reconfiguration events is currently not allowed in RTNCESs. Therefore, in order to perform correct formal verification of a REMS, this paper extends RTNCESs. This section briefly recalls basic conceptions of RTNCESs, analyzes the drawbacks of RTNCEs on investigating REMSs, and represents the proposed extended RTNCESs.
3.1. RTNCEs
Definition 1 (see [30]). A RTNCES is a structure , where is a behavior module and is a control module.
The behavior module is a union of superposed TNCESs. For any , the TNCES is denoted by with . Then can be represented as (resp., ) is a superset of places (resp., transitions). is a superset of flow arcs. (resp., ) is a superset of condition (resp., event) signals. is a set of time intervals to input flow arcs. : maps an event processing mode (AND or OR) for each transition. Let , where is the initial marking. is the initial clock position. is a set of all TNCES structures that can be represented by .
The control module is a set of reconfiguration functions. A reconfiguration function is a structure . is the precondition of . is the structure modification instruction. is the state correlation function, where is a set of feasible initial states of . (resp., ) denotes the TNCES before (resp., after) the implementation of .
Definition 2 (see [30]). A state of RTNCES is a pair , where identifies the activated TNCES with , and is a state of with and .
In a RTNCES, each TNCES in the behavior module models a configuration. For a RTNCES , only one of the TNCESs of the behavior module is activated at the beginning until a reconfiguration function is implemented. Other TNCESs with net structures defined in can be activated only after implementing reconfiguration functions. At any time, only one of the TNCESs with net structures defined in is activated.
If a reconfiguration function meets its precondition, that is, , it is enabled. A reconfiguration function can fire if it is enabled, that is, to implement it. The evolution of a RTNCES depends on what events (reconfiguration functions or transitions) take place. Let be the activated TNCES with , where . If a maximal step fires, evolves from its one inner state to another. However, if a reconfiguration function fires, then is transformed into by changing its net structure and updating its state, where , , and .
3.2. Drawbacks of RTNCESs
The TNCES models for the four behavior modes of AAS are denoted by , , , and , respectively. The set of all possible reconfiguration events of AAS is marked by . The reconfiguration event indicates a local reconfiguration that transforms robot into its energyefficient mode and is the reverse of , that is, to transform robot from its energyefficient mode into its working mode. The implementation of the events and does not change the current behavior mode but can switch robot between its working mode and energyefficient mode according to its busy/idle status and waiting time. Finally, () denotes a global reconfiguration event that transforms AAS from the configuration Mode into Mode .
The firing of a reconfiguration function of a RTNCES changes the system configuration. As a consequence, if reconfiguration functions are applied to model local reconfiguration events for switching components between their working modes and energyefficient modes directly, the number of system configurations should be enlarged. For example, configuration Mode 4 should be considered as four different configurations: (1) Both and are in their working modes, (2) is in working mode and is in energyefficient mode, (3) is in working mode and is in energyefficient mode, and (4) both and are in their energyefficient modes. These four configurations are with the same structure. However, they should be verified separately. Obviously, this increases the verification cost and burdens the whole design process.
Generally, transitions in a RTNCES model normal events of a reconfigurable discrete event control system, whereas reconfiguration functions are used to model system reconfiguration events. However, the concurrence of reconfiguration functions and transitions is not allowed in RTNCESs, which is in fact inconsistent with requirements of REMSs. To make it clearer, let us take the modules , , and as an example. Their TNCESbased models in Mode 1 and Mode 4 are shown in Figures 3 and 4, respectively. The differences between them are marked by dotted lines.
Example 3. Suppose that a reconfiguration function gets enabled at state when AAS is in Mode 1. The physical meaning of is that (1) just finishes transporting to and (2) is ready to process . Assume that at this time a fault is detected in . should be removed. Meanwhile, must update itself soon in order to cover ’s task. According to the design requirements for AAS, should go on working “naturally” at this time, that is, the enabled transition can fire at this state. However, the concurrence of reconfiguration functions and transitions is not allowed in RTNCESs. Therefore, at state , only fires alone and AAS turns to the state . Afterwards, fires, which leads to the next state . However, if and fire together, AAS turns to the state directly without generating . The state transition graph of this case is shown in Figure 5.
Example 4. Assume that two reconfiguration functions and get enabled simultaneously at state . The physical meaning of is that (1) just starts its work and (2) both and are idle. The firing of and only changes the states inside their modules but neither alters the system structure nor enables/disables any other transitions outside. That is to say, the firing of and does not change the current system configuration. According to the design requirements for AAS, both and can reconfigure themselves into energyefficient modes freely when they are idle for more than two time units. However, the concurrence of multiple reconfiguration functions is not allowed in RTNCESs. Therefore, at state , only or fires alone. After that, the remaining one fires since it is still enabled. However, if and fire together, AAS turns to the state directly. The state transition graph of this case is shown in Figure 6.
In conclusion, the original RTNCESs are not sufficient to model a REMS. The reason can be explained from the following three aspects.(i)Reconfigurations at the component level only change component behavior modes between their working modes and energyefficient modes rather than changing system configurations. If this kind of reconfigurations is modeled by reconfiguration functions directly, the number of system configurations should be enlarged, which increases the verification cost and burdens the whole design process.(ii)The concurrence of reconfiguration functions and transitions is not allowed in RTNCESs. However, from the above examples, the concurrence of reconfiguration events and normal events is a common phenomenon in a REMS.(iii)Since the local reconfigurations for energyefficient operations cannot be properly described, their corresponding dynamics and reasonable analysis cannot be performed.
To this end, this paper extends RTNCESs to achieve two aims. First, all possible events including concurrent events that may occur in REMSs can be properly described. Second, the concurrence of reconfiguration functions and transitions should be controlled to ensure the system correctness.
3.3. Extended RTNCESs
An extended RTNCES has the same structure as the original RTNCES. It is composed of a behavior module and a control module, denoted by . The definition of system states is not changed, as shown in Definition 2 in Section 3.1. However, in the extended RTNCES, reconfiguration functions are newly assigned with action ranges and concurrent decision functions. In addition, the firing rules of transitions and reconfiguration functions are updated such that they are conditionally allowed to fire concurrently.
3.3.1. Modified Reconfiguration Functions
In order to model the two types of reconfiguration events in a REMS directly, a concept, namely, action range, is developed for each reconfiguration function of a RTNCES. In addition, a concurrent decision function is also assigned to a reconfiguration function to constrain concurrent transitions that may lead to undesired states such as deadlocks and overflow during a reconfiguration. For the sake of brevity, a reconfiguration function indicates a modified reconfiguration function in what follows.
Definition 5. A reconfiguration function of an extended RTNCES is a structure . is the precondition of . : is the structure modification instruction. is the state correlation function, where is a set of feasible initial states of . (resp., ) denotes the TNCES before (resp., after) fires. denotes the action range of . is a concurrent decision function deciding a set of forbidden transitions that cannot fire together with at state .
The reconfiguration functions of extended RTNCESs are divided into two types: major and minor reconfiguration functions. For a reconfiguration function with and , it is a major reconfiguration function if and only if . Otherwise, it is a minor reconfiguration function. Let and denote the sets of major and minor reconfiguration functions of , respectively. Then we have and .
The implementation (firing) of a major reconfiguration function changes the structure of the current activated TNCES, whereas the implementation (firing) of a minor reconfiguration function only adjusts partial states of the activated TNCES within its action range.
Similar to Petri nets, the “conflict” concept is proposed for two enabled reconfiguration functions. We have the following two cases.(1)For two reconfiguration functions within the same type, that is, both being minor or major reconfiguration functions, if their action ranges have intersections, they are conflicting.(2)For a minor reconfiguration function and a major reconfiguration function, if the action range of the minor reconfiguration function is not completely covered by that of the major reconfiguration function, they are conflicting.If two reconfiguration functions are conflicting, they cannot be implemented simultaneously. The symbol denotes that reconfiguration functions and are not conflicting.
Similar to the definition of steps in TNCES, a step in an extended RTNCES is a maximal set of reconfiguration functions that can fire simultaneously at a particular state. A step should satisfy the following two conditions.(1)For any two reconfiguration functions and () in a step , and are not conflicting; that is, .(2)There does not exist any other maximal set of reconfiguration functions such that .Accordingly, two steps and are conflicting, if , , , and are conflicting.
3.3.2. Dynamics of Extended RTNCESs
Suppose that, at state , multiple reconfiguration functions get enabled, to be denoted bywhere () is a maximal step at and, for all , , , and are conflicting. At the same state , the set of all enabled transitions is denoted bywhere () is a maximal step and, for all , , , and are conflicting. For more information on how these steps are computed, please see [34, 35].
As a consequence, different compositions of steps and steps can occur simultaneously at this state. Given an enabled reconfiguration function , we use (resp., ) to denote the set of deleted transitions (resp., deleted places) and (resp., ) to denote the set of added transitions (resp., added places) by firing it, where , , , and . We have the following two cases.
(1) For a transition , if it is enabled simultaneously with a minor reconfiguration function at state and , then can fire simultaneously with ; that is, .
(2) For a transition , if it is enabled simultaneously with a major reconfiguration function at state , then we have the following two subcases.(A)A spontaneous transition is forbidden to be concurrent with at , if it meets one of the following conditions.(i)If it is deleted by , that is, , it is forbidden by ; that is, .(ii)If and all its elements are not changed by firing , then it is allowed to fire simultaneously with . Formally, if , , , , and , we have .(iii)If , some of its elements are modified by , which include its preset, postset, source places, and firing mode, and we have the following two cases.(a)The preset, source places, and firing mode of decide whether is enabled after the firing of . Therefore, if its preset, source places, or firing mode is changed by , it can fire simultaneously with . Formally, if , , or , then .(b)The postset of does not change its enabling condition but influences the structure of the net. Therefore, it is forbidden by . Formally, if , we have .(B)A forced transition is forbidden to be concurrent with at , if it further meets one of the following conditions.(i)Its firing mode is and all of its forcing transitions are forbidden to be concurrent with ; that is, if and, for all , , then .(ii)Its firing mode is and at least one of its forcing transitions is forbidden by ; that is, if and , , then .
Since an extended RTNCES allows the concurrence of multiple reconfiguration functions and transitions, the reachability graph of an extended RTNCES is defined as follows.
Definition 6. The reachability graph of an extended RTNCES is a combination of several labeled directed graphs whose nodes are the states of and whose arcs are of three kinds: steps, steps, and combinations of a step and a step.(i)The arc from state to state is denoted by a step represented by , where .(ii)The arc from state to state is labeled with a step represented by , if contains major reconfiguration functions with . Otherwise, we have and .(iii)The arc from to state is labeled with a step and a step represented by , if contains major reconfiguration functions with . Otherwise, we have .
Obviously, the graphical representation of an extended RTNCES model is the same as that of a RTNCES model. However, system dynamics get enriched along with the changes of reconfiguration functions. If we use an extended RTNCES to model AAS, the graphical TNCES models shown in Figures 3 and 4 are still correct. However, their reachability graphs get enriched during same reconfiguration.
Example 7. A fragment of the reachability graph of the extended RTNCESbased model of the example composed of , , and is shown in Figure 7. AAS starts running in . When it arrives at state , two minor reconfiguration functions and get enabled and fire simultaneously to reconfigure robots and into their energyefficient modes. After 28 time units, they reconfigure back to working modes. Assume that is detected to have a fault at state , the major reconfiguration function gets enabled. In the meantime, gets enabled simultaneously with . Therefore, fires simultaneously with , which leads to the transformation of AAS into .
4. Verification of REMSs Based on Extended RTNCESs
In order to perform correct formal verification of AAS, an extended RTNCESbased model should be built for it. The extended RTNCES based model of AAS is marked by , , , , , , , and = , , , , , , , . We have = , , , . The four major reconfiguration functions are conflicting with each other. The minor reconfiguration functions and () are conflicting but others are not. The behavior module of is shown in Figure 8, where elements drawn by dotted lines are possibly modified during the implementation of a major reconfiguration function. In order to apply automatic model checking to an extended RTNCES, a TNCESbased nested state machine is developed to implement its control module.
4.1. Implementation of Extended RTNCESs
First of all, major reconfiguration functions are grouped according to their action ranges. A set of state machines specified by TNCESs, which are called s, is defined. Each state machine corresponds to a group of major reconfiguration functions that share the same action range. In a particular , each transition corresponds to a major reconfiguration function. The transitions in a state machine cannot fire simultaneously, which means that these modeled major reconfiguration functions by one state machine are conflicting with each other. Firing a transition in a implies that a major reconfiguration function is implemented. A is formalized as follows: where, for any , , , which means that only one place in owns a token at the initial state, and . The precondition can be modeled by input event/condition signals from external to transitions in a .
In addition, an actuator denoted by is defined for each place in all , which is marked by . Each actuator is composed of a place and a transition only, where , , and . When the place in a receives a token, the actuator is activated. An is formalized as follows: where , , , , and .
Similar to major reconfiguration functions, minor reconfiguration functions are grouped according to their action ranges. A set of state machines specified by TNCESs, which are called , is defined. Each state machine corresponds to a group of minor reconfiguration functions. If the action ranges of two minor reconfiguration functions are the same, they are modeled by transitions in a . If the action range of a group of minor reconfiguration functions, to be modelled by a , is completely covered by that of a group of major reconfiguration functions, to be modeled by a , then this is activated while this is activated.
A is formalized as follows:where, for any , , , which means that only one place in owns a token at the initial state, and . The precondition can be modeled by input event/condition signals from external to transitions in a .
Example 8. Figure 9 depicts the TNCESbased control module of . It has only one , since the four major reconfiguration functions share the same action range. It has four s, since the four robots have four distinguished action ranges. Places , , , and in correspond to Mode 1, Mode 2, Mode 3, and Mode 4, respectively. When fires, the major reconfiguration function is implemented. Robots and are applied in every mode of AAS. Therefore, minor reconfiguration functions that transform them between energyefficient modes and working modes are activated in every system behavior mode. Moreover, it is possible for them to fire simultaneously with other major reconfiguration functions.
4.2. Formal Verification of AAS
Since the time when a major reconfiguration function can get enabled and fire cannot be predicted, this paper applies an instruction insertion method to simulate AAS. In addition, evolves according to fired maximal steps and steps. Assume that AAS should finish 100 subassemblies. It starts with Mode 1. At time when it finishes the 60th subassembly, it reconfigures into Mode 2 due to the fault detection of . Then, it goes on working in Mode 2. At time when the 91st subassembly is being processed, it transforms into Mode 4 according to the fault detection of . During the whole process, minor reconfigurations, that is, transforming robots between their working modes and energyefficient modes, are applied.
SESA is applied to compute the reachability graph of this whole process. A minimal path regarding time consumption from the initial state to the objective state is computed in each mode. In Mode 1, it generates 23044 states, taking 6990 time units to finish assembly of the first 60 subassemblies in the minimal path. In Mode 2, it generates 85259 states, costing 4127 time units to finish assembling the next 30 subassemblies in the minimal path. Finally, in Mode 4, it generates 195007 states, taking 1525 time units to finish assembling the last 10 subassemblies in the minimal path. Note that two states can be considered to be same if and only if they have the same token numbers and time status.
Since each TNCESbased model of the behavior modes of AAS is a welldesigned control system, they are proved to be qualified according to SESA, where eCTL based functional properties and TCTL based temporal properties are checked. In addition, the following eCTL formula is applied to the control module of : This formula is proved to be false by SESA. Transition corresponds to minor reconfiguration function . Therefore, it can fire only when AAS is in Mode 1 or Mode 2. The following formula is proved to be true: It means that when robot breaks down, two reconfiguration functions and are possible to fire simultaneously.
The triggering conditions of minor reconfiguration functions can be computed previously. There are several possible state/event paths showing system behavior from the initial state to the objective state, at which 100 subassemblies are finished. We select a minimal path regarding time for each TNCESbased model of the three configurations, to be denoted by , where energyefficient operations are not included. That is to say, all robots should stay in their working modes in this case although they should wait for a period of time before the next task comes. After that, based on the states on this path, the time when a minor reconfiguration function gets enabled and fires can be computed. For example, if an activated robot starts to wait at a particular state , at which the system time is , a search is performed along this minimal path at . If it is found that at the robot works again, at which the system time is , then the time delay between these two states is obtained. The round local reconfigurations for switching a robot between its working mode and energyefficient mode take two time units. Therefore, if the time delay is larger than two, that is, , a local reconfiguration can be applied to this robot. The system time for reconfiguring this robot from its working mode to its energyefficient mode is . The system time for reconfiguring this robot from its energyefficient mode to its working mode is .
The time of robots on their energyefficient modes in minimal paths is computed during the assembly of 100 subassemblies. They are shown in Table 1 together with the whole system uptime in each mode. Take Mode 1 as an example. Assume that consumes one energy unit per time unit in its working time but only consumes energy unit per time unit in its energyefficient mode. In , if there is no minor reconfiguration applied to for saving energy, it will consume 6990 energy units. However, it only consumes energy units in Mode 1 if minor reconfigurations are applied when it is idle. In the same way, the energy saved by the robots during this simulation is shown in Table 2, where the third row shows the energy consumption of each robot if no minor reconfigurations are applied, the fourth row shows the energy consumption of each robot when minor reconfigurations are applied, and the last row shows the saved energy of each robot during this process.


5. Conclusion
A reconfigurable and energyefficient manufacturing system (REMS) is a typical reconfigurable discrete event control system. It allows two kinds of dynamic system reconfigurations: local and global reconfigurations. The former ones are applied to save energy for components, whereas the latter ones are applied to change system configurations according to changed inner/outer execution environments. Meanwhile, normal events should be conditionally allowed to occur simultaneously with these system reconfigurations, such that the system can reconfigure smoothly and safely. In order to easily model conditioned concurrence of reconfiguration events and normal events and represent all interesting system behavior, this paper extends the reconfigurable timed net condition event systems (RTNCESs) formalism. Original reconfiguration functions are newly assigned with action ranges and concurrent decision functions. Accordingly, the dynamics of RTNCES is updated. After that, a TNCESbased implementation method for the proposed extended RTNCES is developed such that automatic model checking can be applied. The verified properties include functional, temporal, and energy properties that are specified by Computation Tree Logic (CTL), extended Computation Tree Logic (eCTL), or Timed Computation Tree Logic (TCTL). An automatic assembly system is used to illustrate the whole work.
In the future, the authors will focus on reasonably optimal reconfigurable control systems that can save more energy and the applications of the proposed method to the crudeoil operation enterprises with huge energy consumption [48].
Conflict of Interests
The authors declare that there is no conflict of interests for this paper.
Acknowledgments
This work was supported in part by the National Natural Science Foundation of China under Grant no. 61374068 and the Science and Technology Development Fund, MSAR, under Grant nos. 065/2013/A2 and 066/2013/A2.
References
 Y. Koren, U. Heisel, F. Jovane et al., “Reconfigurable manufacturing systems,” CIRP Annals—Manufacturing Technology, vol. 48, no. 2, pp. 527–540, 1999. View at: Publisher Site  Google Scholar
 M. Khalgui, O. Mosbahi, J. F. Zhang, Z. W. Li, and A. Gharbi, “Feasible dynamic reconfigurations of petri nets: application to a production systems,” in Proceedings of the 6th International Conference on Software and Database Technologies (ICSOFT '11), pp. 105–110, Sevilla, Spain, July 2011. View at: Google Scholar
 T. Parisini and S. Sacone, “Fault diagnosis and controller reconfiguration: an hybrid approach,” in Proceedings of the IEEE International Symposium on Intelligent Control (ISIC '98), pp. 163–168, September 1998. View at: Google Scholar
 P. Leitão, J. Alves, J. M. Mendes, and A. W. Colombo, “Energy aware knowledge extraction from petri nets supporting decisionmaking in serviceoriented automation,” in Proceedings of the IEEE International Symposium on Industrial Electronics (ISIE '10), pp. 3521–3526, Bari, Italy, July 2010. View at: Publisher Site  Google Scholar
 S. Karnouskos, A. W. Colombo, J. L. M. Lastra, and C. Popescu, “Towards the energy efficient future factory,” in Proceedings of the 7th IEEE International Conference on Industrial Informatics (INDIN '09), pp. 367–371, Cardiff, Wales, June 2009. View at: Publisher Site  Google Scholar
 K. Bunse, M. Vodicka, P. Schönsleben, M. Brülhart, and F. O. Ernst, “Integrating energy efficiency performance in production management—gap analysis between industrial needs and scientific literature,” Journal of Cleaner Production, vol. 19, no. 67, pp. 667–679, 2011. View at: Publisher Site  Google Scholar
 S. Mechs, S. Lamparter, and J. P. Müller, “On evaluation of alternative switching strategies for energyefficient operation of modular factory automation systems,” in Proceedings of the IEEE 17th International Conference on Emerging Technologies and Factory Automation (ETFA '12), pp. 1–8, IEEE, Kraków, Poland, September 2012. View at: Publisher Site  Google Scholar
 S. Mechs, J. P. Muller, S. Lamparter, and J. Peschke, “Networked priced timed automata for energyefficient factory automation,” in Proceedings of the American Control Conference (ACC '12), pp. 5310–5317, Montreal, Canada, June 2012. View at: Google Scholar
 Z. M. Bi and L. Wang, “Optimization of machining processes from the perspective of energy consumption: a case study,” Journal of Manufacturing Systems, vol. 31, no. 4, pp. 420–428, 2012. View at: Publisher Site  Google Scholar
 Y. Oda, Y. Kawamura, and M. Fujishima, “Energy consumption reduction by machining process improvement,” Procedia CIRP, vol. 4, pp. 120–124, 2012. View at: Google Scholar
 A. Cannata, S. Karnouskos, and M. Taisch, “Energy efficiency driven process analysis and optimization in discrete manufacturing,” in Proceedings of the 35th Annual Conference of the IEEE Industrial Electronics Society(IECON '09), pp. 4449–4454, Porto, Portugal, November 2009. View at: Publisher Site  Google Scholar
 G. Mouzon and M. B. Yildirim, “A framework to minimise total energy consumption and total tardiness on a single machine,” International Journal of Sustainable Engineering, vol. 1, no. 2, pp. 105–116, 2008. View at: Publisher Site  Google Scholar
 D. Shorin and A. Zimmermann, “Modelbased development of energyefficient automation systems,” in Proceedings of the 17th IEEE RealTime and Embedded Technology and Applications Symposium (RTAS '11), Chicago, Ill, USA, April 2011. View at: Google Scholar
 C.W. Park, K.S. Kwon, W.B. Kim et al., “Energy consumption reduction technology in manufacturing—a selective review of policies, standards, and research,” International Journal of Precision Engineering and Manufacturing, vol. 10, no. 5, pp. 151–173, 2009. View at: Publisher Site  Google Scholar
 P. Stoffels, W. M. Boussahel, M. Vielhaber, and G. Frey, “Energy engineering in the virtual factory,” in Proceedings of the IEEE 18th International Conference on Emerging Technologies and Factory Automation (ETFA '13), pp. 1–6, Cagliari, Italy, September 2013. View at: Publisher Site  Google Scholar
 N. Wu, M. Zhou, and Z. Li, “Resourceoriented Petri net for deadlock avoidance in flexible assembly systems,” IEEE Transactions on Systems, Man, and Cybernetics Part A:Systems and Humans, vol. 38, no. 1, pp. 56–69, 2008. View at: Publisher Site  Google Scholar
 Z. Li and M. Zhou, “Twostage method for synthesizing livenessenforcing supervisors for flexible manufacturing systems using Petri nets,” IEEE Transactions on Industrial Informatics, vol. 2, no. 4, pp. 313–325, 2006. View at: Publisher Site  Google Scholar
 Z. W. Li, H. S. Hu, and A. R. Wang, “Design of livenessenforcing supervisors for flexible manufacturing systems using Petri nets,” IEEE Transactions on Systems, Man and Cybernetics Part C: Applications and Reviews, vol. 37, no. 4, pp. 517–526, 2007. View at: Publisher Site  Google Scholar
 Z. Li and M. Zhou, “Control of elementary and dependent siphons in Petri nets and their application,” IEEE Transactions on Systems, Man, and Cybernetics Part A: Systems and Humans, vol. 38, no. 1, pp. 133–148, 2008. View at: Publisher Site  Google Scholar
 Z. Li, M. Zhou, and N. Wu, “A survey and comparison of Petri netbased deadlock prevention policies for flexible manufacturing systems,” IEEE Transactions on Systems, Man and Cybernetics Part C: Applications and Reviews, vol. 38, no. 2, pp. 173–188, 2008. View at: Publisher Site  Google Scholar
 Z. Li, N. Wu, and M. Zhou, “Deadlock control of automated manufacturing systems based on petri nets—a literature review,” IEEE Transactions on Systems, Man and Cybernetics Part C: Applications and Reviews, vol. 42, no. 4, pp. 437–462, 2012. View at: Publisher Site  Google Scholar
 Z. Y. Ma, Z. W. Li, and A. Giua, “Design of optimal Petri net controllers for disjunctive generalized mutual exclusion constraints,” IEEE Transactions on Automatic Control, 2015. View at: Publisher Site  Google Scholar
 J. H. Ye, Z. W. Li, and A. Giua, “Decentralized supervision of Petri nets with a coordinator,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 45, no. 6, pp. 955–966, 2015. View at: Publisher Site  Google Scholar
 Z. W. Li, M. C. Zhou, and M. D. Jeng, “A maximally permissive deadlock prevention policy for FMS based on petri net siphon control and the theory of regions,” IEEE Transactions on Automation Science and Engineering, vol. 5, no. 1, pp. 182–188, 2008. View at: Publisher Site  Google Scholar
 Z. W. Li, G. Y. Liu, H.M. Hanisch, and M. C. Zhou, “Deadlock prevention based on structure reuse of petri net supervisors for flexible manufacturing systems,” IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans, vol. 42, no. 1, pp. 178–191, 2012. View at: Publisher Site  Google Scholar
 Y. F. Chen and Z . W. Li, “Design of a maximally permissive livenessenforcing supervisor with a compressed supervisory structure for flexible manufacturing systems,” Automatica, vol. 47, no. 5, pp. 1028–1034, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 Y. F. Chen, Z. W. Li, M. Khalgui, and O. Mosbahi, “Design of a maximally permissive liveness enforcing Petri net supervisor for flexible manufacturing systems,” IEEE Transactions on Automation Science and Engineering, vol. 8, no. 2, pp. 374–393, 2011. View at: Publisher Site  Google Scholar
 Y. F. Chen, Z. W. Li, K. Barkaoui, and M. Uzam, “New Petri net structure and its application to optimal supervisory control: Interval inhibitor arcs,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 44, no. 10, pp. 1384–1400, 2014. View at: Publisher Site  Google Scholar
 X. Wang, I. Khemaissia, M. Khalgui, Z. Li, O. Mosbahi, and M. Zhou, “Dynamic lowpower reconfiguration of realtime systems with periodic and probabilistic tasks,” IEEE Transactions on Automation Science and Engineering, vol. 12, no. 1, pp. 258–271, 2015. View at: Publisher Site  Google Scholar
 J. Zhang, M. Khalgui, Z. Li, O. Mosbahi, and A. M. AlAhmari, “RTNCES: a novel formalism for reconfigurable discrete event control systems,” IEEE Transactions on Systems, Man, and Cybernetics: Systems and Humans, vol. 43, no. 4, pp. 757–772, 2013. View at: Publisher Site  Google Scholar
 J. F. Zhang, M. Khalgui, Z. W. Li, G. Frey, O. Mosbahi, and H. B. Salah, “Reconfigurable coordination of distributed discrete event control systems,” IEEE Transactions on Control Systems Technology, vol. 23, no. 1, pp. 323–330, 2015. View at: Publisher Site  Google Scholar
 C. Gerber, S. Preuße, and H.M. Hanisch, “A complete framework for controller verification in manufacturing,” in Proceedings of the 15th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA '10), pp. 1–9, September 2010. View at: Publisher Site  Google Scholar
 C. Gerber, Implementation and Verification of Distributed Control Systems, Logos, Berlin, Germany, 2011.
 H.M. Hanisch, J. Thieme, A. Lueder, and O. Wienhold, “Modeling of PLC behavior by means of timed net condition/event systems,” in Proceedings of the IEEE 6th International Conference on Emerging Technologies and Factory Automation (ETFA '97), pp. 391–396, IEEE, Los Angeles, Calif, USA, September 1997. View at: Publisher Site  Google Scholar
 M. Rausch and H. M. Hanisch, “Net condition/event systems with multiple condition outputs,” in Proceedings of the 1995 INRIA/IEEE Symposium on Emerging Technologies and Factory Automation, pp. 592–600, Paris, France, October 1995. View at: Google Scholar
 T. Murata, “Petri nets: properties, analysis and applications,” Proceedings of the IEEE, vol. 77, no. 4, pp. 541–580, 1989. View at: Publisher Site  Google Scholar
 Y. F. Chen, Z. W. Li, and M. C. Zhou, “Optimal supervisory control of flexible manufacturing systems by Petri nets: a set classification approach,” IEEE Transactions on Automation Science and Engineering, vol. 11, no. 2, pp. 549–563, 2014. View at: Publisher Site  Google Scholar
 Z. W. Li and M. C. Zhou, “Elementary siphons of Petri nets and their application to deadlock prevention in flexible manufacturing systems”,” IEEE Transactions on Systems, Man, and Cybernetics Part A: Systems and Humans., vol. 34, no. 1, pp. 38–51, 2004. View at: Publisher Site  Google Scholar
 Z. W. Li and M. C. Zhou, “Clarifications on the definitions of elementary siphons in Petri nets,” IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans, vol. 36, no. 6, pp. 1227–1229, 2006. View at: Publisher Site  Google Scholar
 Z. Li and M. Zhao, “On controllability of dependent siphons for deadlock prevention in generalized Petri nets,” IEEE Transactions on Systems, Man, and Cybernetics Part A: Systems and Humans, vol. 38, no. 2, pp. 369–384, 2008. View at: Publisher Site  Google Scholar
 P. H. Starke and S. Roch, “Analysing signalnet systems,” Tech. Rep., Informatik Berichte, HumboldtUniversity, Berlin, Germany, 2002. View at: Google Scholar
 E. M. Clarke, O. Grumberg, and D. Peled, Model Checking, MIT Press, 1999.
 E. A. Emerson, A. K. Mok, A. P. Sistla, and J. Srinivasan, “Quantitative temporal reasoning,” in ComputerAided Verification, vol. 531 of Lecture Notes in Computer Science, pp. 136–145, Springer, Berlin, Germany, 1991. View at: Publisher Site  Google Scholar
 S. Roch, “Extended computation tree logic,” in Proceedings of the InformatikBericht Workshop on Concurrency, Specification and Programming, pp. 225–234, 2000. View at: Google Scholar
 S. Preuße, D. Missal, C. Gerber, M. Hirsch, and H. M. Hanisch, “On the use of modelbased IEC 61499 controller design,” International Journal of Discrete Event Control Systems, vol. 1, no. 1, pp. 115–128, 2011. View at: Google Scholar
 S. Preuse, H.C. Lapp, and H.M. Hanisch, “Closedloop system modeling, validation, and verification,” in Proceedings of the IEEE 17th International Conference on Emerging Technologies and Factory Automation (ETFA '12), pp. 1–8, IEEE, Kraków, Poland, September 2012. View at: Publisher Site  Google Scholar
 S. Preußse and H.M. Hanisch, “Verifying functional and nonfunctional properties of manufacturing control systems,” in Proceedings of the 3rd International Workshop on Dependable Control of Discrete Systems (DCDS '11), pp. 41–46, Saarbrücken, Germany, June 2011. View at: Publisher Site  Google Scholar
 N. Q. Wu, M. C. Zhou, and Z. W. Li, “Shortterm scheduling of crudeoil operations: petri netbased controltheoretic approach,” IEEE Robotics & Automation Magazine, 2015. View at: Publisher Site  Google Scholar
Copyright
Copyright © 2015 Jiafeng Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.