#### Abstract

This paper deals with the formal modeling and verification of reconfigurable and energy-efficient manufacturing systems (REMSs) that are considered as reconfigurable discrete event control systems. A REMS not only allows global reconfigurations for switching the system from one configuration to another, but also allows local reconfigurations on components for saving energy when the system is in a particular configuration. In addition, the unreconfigured components of such a system should continue running during any reconfiguration. As a result, during a system reconfiguration, the system may have several possible paths and may fail to meet control requirements if concurrent reconfiguration events and normal events are not controlled. To guarantee the safety and correctness of such complex systems, formal verification is of great importance during a system design stage. This paper extends the formalism reconfigurable timed net condition/event systems (R-TNCESs) in order to model all possible dynamic behavior in such systems. After that, the designed system based on extended R-TNCESs is verified with the help of a software tool SESA for functional, temporal, and energy-efficient properties. This paper is illustrated by an automatic assembly system.

#### 1. Introduction

A reconfigurable manufacturing system (RMS) is designed at the outset for rapid change in structure, as well as in hardware and software components, in order to quickly adjust production capacity and functionality within a part family in response to sudden changes in market or in regulatory requirements [1]. A RMS should be designed with several configurations (behavior modes) to, respectively, meet different production requirements in various conditions. There are two types of reconfigurations: static and dynamic reconfigurations. Generally, a static reconfiguration is applied offline to modify a RMS extensively such as adjusting architecture of physical systems and removing obsoleted machines, whereas a dynamic system reconfiguration, to switch a RMS from one configuration to another at runtime, is applied with the aim of fault-tolerance or actively changing system behavior modes [2, 3]. This paper focuses on dynamic RMSs.

Traditionally, manufacturing is an energy-intensive process, using motors, steam, and compressed air systems to transform raw materials into durable goods and consumer products [4–6]. Recent research shows that switching machines of a manufacturing system into their energy-efficient modes when they are idle during production can make considerable contribution to the reduction of energy demand and thus can reduce carbon footprint as well as operating costs [7–15]. This paper takes the advantage of dynamic reconfigurations of machines of a RMS between their working modes and energy-efficient modes as a way of reducing system energy consumption. A RMS with such energy-efficient operations is called a reconfigurable and energy-efficient manufacturing system (REMS).

REMSs can be abstracted as reconfigurable discrete event systems (DESs) when only their logic behavior properties are investigated. In this paper, a reconfiguration is called a local reconfiguration, if it is applied for switching a machine of a REMS between its working mode and energy-efficient mode. A reconfiguration is named a global reconfiguration if it is applied for switching a REMS between different configurations.

A REMS should be able to reconfigure itself smoothly due to changed inner/outer environments at runtime. Meanwhile, normal unreconfigured events should go on occurring whenever they meet their occurrence preconditions. However, uncontrolled concurrence of reconfiguration events and normal events may cause faults such as deadlocks and overflow [16–19]. Therefore, the formal verification is of great importance during design stages.

Petri nets [20, 21] have found an extensive application to discrete event systems [22, 23], including automated flexible manufacturing systems [24–28] and reconfigurable systems [29]. Reconfigurable timed net condition/event systems (R-TNCESs) [30, 31] are reconfigurable extensions of timed net condition/event systems (TNCESs) [32, 33]. TNCESs [34, 35] have a visual graph expression, a clear modular structure, and an exact mathematical definition inherited from Petri nets [36–40]. In addition, they have a strong analysis software tool: SESA (http://homepages.engineering.auckland.ac.nz/vyatkin/tools/modelchekers.html) [41]. System behavior properties, such as state/event trajectories and temporal requirements, can be specified by Computation Tree Logic (CTL), extended CTL (eCTL), and timed CTL (TCTL) [42–44] before being checked by SESA automatically. If a property is satisfied by the system, the model checker will return “true”. Otherwise, a counterexample will be returned. Therefore, TNCESs have been widely applied in verification and validation of industry control systems especially for manufacturing systems [45–47]. The verification of a R-TNCES can be performed with the assistance of SESA [30, 31].

However, R-TNCESs cannot fully meet our requirements for a REMS. In a R-TNCES, reconfiguration functions model system reconfiguration events and transitions model normal events. However, the concurrence of reconfiguration functions and transitions is forbidden in a R-TNCES, which is in fact inconsistent with system requirements of REMSs. As a result, formal verification of such complex systems cannot be performed.

Motivated by the fact aforementioned, this paper extends R-TNCESs. First, the reconfiguration functions of R-TNCESs are assigned with action ranges and concurrent decision functions. After that, they are divided into two types according to their action ranges: major and minor reconfiguration functions. The major ones are used to model global reconfiguration events, whereas the minor ones are applied to model local reconfiguration events. Accordingly, the dynamics of R-TNCESs is updated for these extensions such that the concurrence of reconfiguration events and normal events can be conditionally allowed to guarantee the system correctness. Afterwards, an implementation method for an extended R-TNCES is developed. Finally, the software tool SESA is applied to check system functional, temporal, and energy-efficient properties. An automatic assembly system is used to illustrate this work.

The paper is organized as follows. The system specification of REMSs and the applied automatic assembly system are depicted in Section 2. The drawbacks of R-TNCESs on analyzing REMSs and the proposed extended R-TNCESs are described in Section 3. The formal verification of a REMS based on extended R-TNCESs is illustrated in Section 4. Finally, Section 5 concludes this paper and briefly presents further studies.

#### 2. Reconfigurable and Energy-Efficient Manufacturing Systems

This paper treats a reconfigurable and energy-efficient manufacturing system (REMS) as a reconfigurable discrete event control system. This section presents system specification and interesting system dynamics before it illustrates them with an automatic assembly system.

##### 2.1. System Specification

A REMS is designed with a set of configurations to meet various requirements in different execution environments. A configuration is defined as where is a set of all activated components in , defines the structure, that is, the connection relationship and the communication protocol among components of , and denotes the set of all global variables and parameters of .

A REMS is denoted bywhere is the set of configurations and is the reconfigurable controller dealing with system reconfigurations.

There are two types of system reconfigurations in a REMS: global and local reconfigurations. The former ones are applied for switching system configurations. The latter ones are applied for switching an activated component between its working mode and energy-efficient mode when the system is in a particular configuration.

A REMS starts running as described in one of these configurations. After that, it should be able to change into other configurations smoothly due to the detection of component faults or other well-defined conditions. In addition, in each configuration, local reconfigurations can be applied to components such that the components can reconfigure themselves into their energy-efficient modes to save energy when they are idle and turn back to their working modes when the system needs them.

Dynamics of a REMS can be described by the evolution of system states. The evolution is caused by the occurrences of events events. A REMS includes three types of normal events, local reconfiguration events, and global reconfiguration events.(1)If a normal event occurs, the system changes its state within its current configuration.(2)If a local reconfiguration event occurs, a component of current configuration switches into its energy-efficient mode or switches back into its working mode.(3)If a global reconfiguration event occurs, the system switches into another configuration.

Meanwhile, during a global or local reconfiguration, if normal events meet their occurring conditions and they are not modified by the occurring reconfiguration events, they should go on occurring. However, this kind of concurrence brings safety threat to the system, since they may cause unboundedness, deadlocks, and even other functional or temporal failings.

##### 2.2. Running Example

An automatic assembly system, denoted by AAS, is applied to illustrate works presented in this paper. AAS includes three workstations (, , and ) and four robots (, , , and ). It is assumed that robots are high energy consumption machines. The respective time consumption of , , and to finish a machining task is 40 time units, 30 time unites, and 50 time unites. The time consumption of both and to finish a task is 20 time units. The time consumption of both and to finish a task is 25 time units. The default working process diagram of AAS is shown in Figure 1.

The main function of AAS is to assemble machine parts into a subassembly of a vehicle, to be marked by . Robots and move machine parts from the input into AAS, transfer machine parts between workstations, and remove trashy machine parts to the output. Dotted arrows in Figure 1 are used to denote the movements of machine parts during an assembly process. On the other hand, is shifted along , , and by robots and . Solid arrows in Figure 1 are used to denote the movement of . To make it clear, , and are used to denote positions where machine parts or should be during an assembly process. The main assembly process is briefly described by the following three steps.(1)The to-be-worked subassembly is shifted from input to by . A machine part is delivered to from the input . After that, and are preprocessed on . Then, the preprocessed is moved to automatically. The preprocessed is moved to automatically before being moved to position by .(2) is transported to from by . Then, a second preprocess for is done by . After that, is shifted to from by .(3)A machine part is delivered to by . Then, starts the assembly after is in , preprocessed is in , and is in . After the assembly, the machined is moved out by . Two other trashy machine parts are removed out of AAS by and , respectively.

It is assumed that four behavior modes are designed for AAS. Their work processes are illustrated as follows.(i): is the default mode as depicted in Figure 1, where all the robots are applied.(ii): is a responding mode when breaks down, where should update itself to perform the function of .(iii): is applied when breaks down during the execution of , where the work of has to be done by .(iv): is applied when both and break down, where only and are applied. In this case, should cover the function of as in and should cover the function of as in .

In each behavior mode, the applied robots should be able to reconfigure themselves into their energy-efficient modes when they are idle and reconfigure themselves back into their working modes when they have new tasks. A local reconfiguration for switching a robot from its working mode to its energy-efficient mode consumes one time unit. Likewise, a local reconfiguration for switching a robot from its energy-efficient mode back to its working mode consumes one time unit, as well.

To avoid the halt of a continuous production line, possible dynamic reconfigurations applied for switching AAS between these behavior modes are shown in Figure 2. The solid arrows denote global reconfigurations and dotted ones denote local reconfigurations.

It is assumed that a robot consumes one energy unit per time unit when it works in its working mode. However, it only consumes 30% energy units per time unit when it works in its energy-efficient mode. Note that the numerical value “30%” is an assumption by the authors to facilitate the quantitative analysis on energy-efficient operations. It does not come from any literature on industry systems.

Obviously, the possible reconfiguration events of AAS can occur simultaneously with many normal events in it. For example, when is being modified by a global reconfiguration or being switched into its energy-efficient mode, only its own work needs to stop for a while and the workstations and other running robots should do their jobs unaffectedly.

#### 3. Extended R-TNCES

Reconfigurable timed net condition/event systems (R-TNCESs) [30, 31] are extensions of timed net condition/event systems (TNCESs) [34, 35]. Reconfiguration functions of R-TNCESs can be used to model global reconfiguration events of REMSs. However, they are not proper to model local reconfiguration events of REMSs directly. In addition, the concurrence of normal events and reconfiguration events is currently not allowed in R-TNCESs. Therefore, in order to perform correct formal verification of a REMS, this paper extends R-TNCESs. This section briefly recalls basic conceptions of R-TNCESs, analyzes the drawbacks of R-TNCEs on investigating REMSs, and represents the proposed extended R-TNCESs.

##### 3.1. R-TNCEs

*Definition 1 (see [30]). *A R-TNCES is a structure , where is a behavior module and is a control module.

The behavior module is a union of superposed TNCESs. For any , the TNCES is denoted by with . Then can be represented as (resp., ) is a superset of places (resp., transitions). is a superset of flow arcs. (resp., ) is a superset of condition (resp., event) signals. is a set of time intervals to input flow arcs. : maps an event processing mode (AND or OR) for each transition. Let , where is the initial marking. is the initial clock position. is a set of all TNCES structures that can be represented by .

The control module is a set of reconfiguration functions. A reconfiguration function is a structure . is the precondition of . is the structure modification instruction. is the state correlation function, where is a set of feasible initial states of . (resp., ) denotes the TNCES before (resp., after) the implementation of .

*Definition 2 (see [30]). *A state of R-TNCES is a pair , where identifies the activated TNCES with , and is a state of with and .

In a R-TNCES, each TNCES in the behavior module models a configuration. For a R-TNCES , only one of the TNCESs of the behavior module is activated at the beginning until a reconfiguration function is implemented. Other TNCESs with net structures defined in can be activated only after implementing reconfiguration functions. At any time, only one of the TNCESs with net structures defined in is activated.

If a reconfiguration function meets its precondition, that is, , it is enabled. A reconfiguration function can fire if it is enabled, that is, to implement it. The evolution of a R-TNCES depends on what events (reconfiguration functions or transitions) take place. Let be the activated TNCES with , where . If a maximal step fires, evolves from its one inner state to another. However, if a reconfiguration function fires, then is transformed into by changing its net structure and updating its state, where , , and .

##### 3.2. Drawbacks of R-TNCESs

The TNCES models for the four behavior modes of AAS are denoted by , , , and , respectively. The set of all possible reconfiguration events of AAS is marked by . The reconfiguration event indicates a local reconfiguration that transforms robot into its energy-efficient mode and is the reverse of , that is, to transform robot from its energy-efficient mode into its working mode. The implementation of the events and does not change the current behavior mode but can switch robot between its working mode and energy-efficient mode according to its busy/idle status and waiting time. Finally, () denotes a global reconfiguration event that transforms AAS from the configuration Mode into Mode .

The firing of a reconfiguration function of a R-TNCES changes the system configuration. As a consequence, if reconfiguration functions are applied to model local reconfiguration events for switching components between their working modes and energy-efficient modes directly, the number of system configurations should be enlarged. For example, configuration Mode 4 should be considered as four different configurations: (1) Both and are in their working modes, (2) is in working mode and is in energy-efficient mode, (3) is in working mode and is in energy-efficient mode, and (4) both and are in their energy-efficient modes. These four configurations are with the same structure. However, they should be verified separately. Obviously, this increases the verification cost and burdens the whole design process.

Generally, transitions in a R-TNCES model normal events of a reconfigurable discrete event control system, whereas reconfiguration functions are used to model system reconfiguration events. However, the concurrence of reconfiguration functions and transitions is not allowed in R-TNCESs, which is in fact inconsistent with requirements of REMSs. To make it clearer, let us take the modules , , and as an example. Their TNCES-based models in Mode 1 and Mode 4 are shown in Figures 3 and 4, respectively. The differences between them are marked by dotted lines.

*Example 3. *Suppose that a reconfiguration function gets enabled at state when AAS is in Mode 1. The physical meaning of is that (1) just finishes transporting to and (2) is ready to process . Assume that at this time a fault is detected in . should be removed. Meanwhile, must update itself soon in order to cover ’s task. According to the design requirements for AAS, should go on working “naturally” at this time, that is, the enabled transition can fire at this state. However, the concurrence of reconfiguration functions and transitions is not allowed in R-TNCESs. Therefore, at state , only fires alone and AAS turns to the state . Afterwards, fires, which leads to the next state . However, if and fire together, AAS turns to the state directly without generating . The state transition graph of this case is shown in Figure 5.

*Example 4. *Assume that two reconfiguration functions and get enabled simultaneously at state . The physical meaning of is that (1) just starts its work and (2) both and are idle. The firing of and only changes the states inside their modules but neither alters the system structure nor enables/disables any other transitions outside. That is to say, the firing of and does not change the current system configuration. According to the design requirements for AAS, both and can reconfigure themselves into energy-efficient modes freely when they are idle for more than two time units. However, the concurrence of multiple reconfiguration functions is not allowed in R-TNCESs. Therefore, at state , only or fires alone. After that, the remaining one fires since it is still enabled. However, if and fire together, AAS turns to the state directly. The state transition graph of this case is shown in Figure 6.

In conclusion, the original R-TNCESs are not sufficient to model a REMS. The reason can be explained from the following three aspects.(i)Reconfigurations at the component level only change component behavior modes between their working modes and energy-efficient modes rather than changing system configurations. If this kind of reconfigurations is modeled by reconfiguration functions directly, the number of system configurations should be enlarged, which increases the verification cost and burdens the whole design process.(ii)The concurrence of reconfiguration functions and transitions is not allowed in R-TNCESs. However, from the above examples, the concurrence of reconfiguration events and normal events is a common phenomenon in a REMS.(iii)Since the local reconfigurations for energy-efficient operations cannot be properly described, their corresponding dynamics and reasonable analysis cannot be performed.

To this end, this paper extends R-TNCESs to achieve two aims. First, all possible events including concurrent events that may occur in REMSs can be properly described. Second, the concurrence of reconfiguration functions and transitions should be controlled to ensure the system correctness.

##### 3.3. Extended R-TNCESs

An extended R-TNCES has the same structure as the original R-TNCES. It is composed of a behavior module and a control module, denoted by . The definition of system states is not changed, as shown in Definition 2 in Section 3.1. However, in the extended R-TNCES, reconfiguration functions are newly assigned with action ranges and concurrent decision functions. In addition, the firing rules of transitions and reconfiguration functions are updated such that they are conditionally allowed to fire concurrently.

###### 3.3.1. Modified Reconfiguration Functions

In order to model the two types of reconfiguration events in a REMS directly, a concept, namely,* action range,* is developed for each reconfiguration function of a R-TNCES. In addition, a* concurrent decision function* is also assigned to a reconfiguration function to constrain concurrent transitions that may lead to undesired states such as deadlocks and overflow during a reconfiguration. For the sake of brevity, a reconfiguration function indicates a modified reconfiguration function in what follows.

*Definition 5. *A reconfiguration function of an extended R-TNCES is a structure . is the precondition of . : is the structure modification instruction. is the state correlation function, where is a set of feasible initial states of . (resp., ) denotes the TNCES before (resp., after) fires. denotes the action range of . is a concurrent decision function deciding a set of forbidden transitions that cannot fire together with at state .

The reconfiguration functions of extended R-TNCESs are divided into two types: major and minor reconfiguration functions. For a reconfiguration function with and , it is a major reconfiguration function if and only if . Otherwise, it is a minor reconfiguration function. Let and denote the sets of major and minor reconfiguration functions of , respectively. Then we have and .

The implementation (firing) of a major reconfiguration function changes the structure of the current activated TNCES, whereas the implementation (firing) of a minor reconfiguration function only adjusts partial states of the activated TNCES within its action range.

Similar to Petri nets, the “conflict” concept is proposed for two enabled reconfiguration functions. We have the following two cases.(1)For two reconfiguration functions within the same type, that is, both being minor or major reconfiguration functions, if their action ranges have intersections, they are conflicting.(2)For a minor reconfiguration function and a major reconfiguration function, if the action range of the minor reconfiguration function is not completely covered by that of the major reconfiguration function, they are conflicting.If two reconfiguration functions are conflicting, they cannot be implemented simultaneously. The symbol denotes that reconfiguration functions and are not conflicting.

Similar to the definition of* steps* in TNCES, a -step in an extended R-TNCES is a maximal set of reconfiguration functions that can fire simultaneously at a particular state. A -step should satisfy the following two conditions.(1)For any two reconfiguration functions and () in a -step , and are not conflicting; that is, .(2)There does not exist any other maximal set of reconfiguration functions such that .Accordingly, two -steps and are conflicting, if , , , and are conflicting.

###### 3.3.2. Dynamics of Extended R-TNCESs

Suppose that, at state , multiple reconfiguration functions get enabled, to be denoted bywhere () is a maximal -step at and, for all , , , and are conflicting. At the same state , the set of all enabled transitions is denoted bywhere () is a maximal step and, for all , , , and are conflicting. For more information on how these steps are computed, please see [34, 35].

As a consequence, different compositions of -steps and steps can occur simultaneously at this state. Given an enabled reconfiguration function , we use (resp., ) to denote the set of deleted transitions (resp., deleted places) and (resp., ) to denote the set of added transitions (resp., added places) by firing it, where , , , and . We have the following two cases.

(1) For a transition , if it is enabled simultaneously with a minor reconfiguration function at state and , then can fire simultaneously with ; that is, .

(2) For a transition , if it is enabled simultaneously with a major reconfiguration function at state , then we have the following two subcases.(A)A spontaneous transition is forbidden to be concurrent with at , if it meets one of the following conditions.(i)If it is deleted by , that is, , it is forbidden by ; that is, .(ii)If and all its elements are not changed by firing , then it is allowed to fire simultaneously with . Formally, if , , , , and , we have .(iii)If , some of its elements are modified by , which include its preset, postset, source places, and firing mode, and we have the following two cases.(a)The preset, source places, and firing mode of decide whether is enabled after the firing of . Therefore, if its preset, source places, or firing mode is changed by , it can fire simultaneously with . Formally, if , , or , then .(b)The postset of does not change its enabling condition but influences the structure of the net. Therefore, it is forbidden by . Formally, if , we have .(B)A forced transition is forbidden to be concurrent with at , if it further meets one of the following conditions.(i)Its firing mode is and all of its forcing transitions are forbidden to be concurrent with ; that is, if and, for all , , then .(ii)Its firing mode is and at least one of its forcing transitions is forbidden by ; that is, if and , , then .

Since an extended R-TNCES allows the concurrence of multiple reconfiguration functions and transitions, the reachability graph of an extended R-TNCES is defined as follows.

*Definition 6. *The reachability graph of an extended R-TNCES is a combination of several labeled directed graphs whose nodes are the states of and whose arcs are of three kinds: steps, -steps, and combinations of a step and a -step.(i)The arc from state to state is denoted by a step represented by , where .(ii)The arc from state to state is labeled with a -step represented by , if contains major reconfiguration functions with . Otherwise, we have and .(iii)The arc from to state is labeled with a step and a -step represented by , if contains major reconfiguration functions with . Otherwise, we have .

Obviously, the graphical representation of an extended R-TNCES model is the same as that of a R-TNCES model. However, system dynamics get enriched along with the changes of reconfiguration functions. If we use an extended R-TNCES to model AAS, the graphical TNCES models shown in Figures 3 and 4 are still correct. However, their reachability graphs get enriched during same reconfiguration.

*Example 7. *A fragment of the reachability graph of the extended R-TNCES-based model of the example composed of , , and is shown in Figure 7. AAS starts running in . When it arrives at state , two minor reconfiguration functions and get enabled and fire simultaneously to reconfigure robots and into their energy-efficient modes. After 28 time units, they reconfigure back to working modes. Assume that is detected to have a fault at state , the major reconfiguration function gets enabled. In the meantime, gets enabled simultaneously with . Therefore, fires simultaneously with , which leads to the transformation of AAS into .

#### 4. Verification of REMSs Based on Extended R-TNCESs

In order to perform correct formal verification of AAS, an extended R-TNCES-based model should be built for it. The extended R-TNCES based model of AAS is marked by , , , , , , , and = , , , , , , , . We have = , , , . The four major reconfiguration functions are conflicting with each other. The minor reconfiguration functions and () are conflicting but others are not. The behavior module of is shown in Figure 8, where elements drawn by dotted lines are possibly modified during the implementation of a major reconfiguration function. In order to apply automatic model checking to an extended R-TNCES, a TNCES-based nested state machine is developed to implement its control module.

##### 4.1. Implementation of Extended R-TNCESs

First of all, major reconfiguration functions are grouped according to their action ranges. A set of state machines specified by TNCESs, which are called s, is defined. Each state machine corresponds to a group of major reconfiguration functions that share the same action range. In a particular , each transition corresponds to a major reconfiguration function. The transitions in a state machine cannot fire simultaneously, which means that these modeled major reconfiguration functions by one state machine are conflicting with each other. Firing a transition in a implies that a major reconfiguration function is implemented. A is formalized as follows: where, for any , , , which means that only one place in owns a token at the initial state, and . The precondition can be modeled by input event/condition signals from external to transitions in a .

In addition, an actuator denoted by is defined for each place in all , which is marked by . Each actuator is composed of a place and a transition only, where , , and . When the place in a receives a token, the actuator is activated. An is formalized as follows: where , , , , and .

Similar to major reconfiguration functions, minor reconfiguration functions are grouped according to their action ranges. A set of state machines specified by TNCESs, which are called , is defined. Each state machine corresponds to a group of minor reconfiguration functions. If the action ranges of two minor reconfiguration functions are the same, they are modeled by transitions in a . If the action range of a group of minor reconfiguration functions, to be modelled by a , is completely covered by that of a group of major reconfiguration functions, to be modeled by a , then this is activated while this is activated.

A is formalized as follows:where, for any , , , which means that only one place in owns a token at the initial state, and . The precondition can be modeled by input event/condition signals from external to transitions in a .

*Example 8. *Figure 9 depicts the TNCES-based control module of . It has only one , since the four major reconfiguration functions share the same action range. It has four s, since the four robots have four distinguished action ranges. Places , , , and in correspond to Mode 1, Mode 2, Mode 3, and Mode 4, respectively. When fires, the major reconfiguration function is implemented. Robots and are applied in every mode of AAS. Therefore, minor reconfiguration functions that transform them between energy-efficient modes and working modes are activated in every system behavior mode. Moreover, it is possible for them to fire simultaneously with other major reconfiguration functions.

##### 4.2. Formal Verification of AAS

Since the time when a major reconfiguration function can get enabled and fire cannot be predicted, this paper applies an instruction insertion method to simulate AAS. In addition, evolves according to fired maximal steps and -steps. Assume that AAS should finish 100 subassemblies. It starts with Mode 1. At time when it finishes the 60th subassembly, it reconfigures into Mode 2 due to the fault detection of . Then, it goes on working in Mode 2. At time when the 91st subassembly is being processed, it transforms into Mode 4 according to the fault detection of . During the whole process, minor reconfigurations, that is, transforming robots between their working modes and energy-efficient modes, are applied.

SESA is applied to compute the reachability graph of this whole process. A minimal path regarding time consumption from the initial state to the objective state is computed in each mode. In Mode 1, it generates 23044 states, taking 6990 time units to finish assembly of the first 60 subassemblies in the minimal path. In Mode 2, it generates 85259 states, costing 4127 time units to finish assembling the next 30 subassemblies in the minimal path. Finally, in Mode 4, it generates 195007 states, taking 1525 time units to finish assembling the last 10 subassemblies in the minimal path. Note that two states can be considered to be same if and only if they have the same token numbers and time status.

Since each TNCES-based model of the behavior modes of AAS is a well-designed control system, they are proved to be qualified according to SESA, where eCTL based functional properties and TCTL based temporal properties are checked. In addition, the following eCTL formula is applied to the control module of : This formula is proved to be false by SESA. Transition corresponds to minor reconfiguration function . Therefore, it can fire only when AAS is in Mode 1 or Mode 2. The following formula is proved to be true: It means that when robot breaks down, two reconfiguration functions and are possible to fire simultaneously.

The triggering conditions of minor reconfiguration functions can be computed previously. There are several possible state/event paths showing system behavior from the initial state to the objective state, at which 100 subassemblies are finished. We select a minimal path regarding time for each TNCES-based model of the three configurations, to be denoted by , where energy-efficient operations are not included. That is to say, all robots should stay in their working modes in this case although they should wait for a period of time before the next task comes. After that, based on the states on this path, the time when a minor reconfiguration function gets enabled and fires can be computed. For example, if an activated robot starts to wait at a particular state , at which the system time is , a search is performed along this minimal path at . If it is found that at the robot works again, at which the system time is , then the time delay between these two states is obtained. The round local reconfigurations for switching a robot between its working mode and energy-efficient mode take two time units. Therefore, if the time delay is larger than two, that is, , a local reconfiguration can be applied to this robot. The system time for reconfiguring this robot from its working mode to its energy-efficient mode is . The system time for reconfiguring this robot from its energy-efficient mode to its working mode is .

The time of robots on their energy-efficient modes in minimal paths is computed during the assembly of 100 subassemblies. They are shown in Table 1 together with the whole system uptime in each mode. Take Mode 1 as an example. Assume that consumes one energy unit per time unit in its working time but only consumes energy unit per time unit in its energy-efficient mode. In , if there is no minor reconfiguration applied to for saving energy, it will consume 6990 energy units. However, it only consumes energy units in Mode 1 if minor reconfigurations are applied when it is idle. In the same way, the energy saved by the robots during this simulation is shown in Table 2, where the third row shows the energy consumption of each robot if no minor reconfigurations are applied, the fourth row shows the energy consumption of each robot when minor reconfigurations are applied, and the last row shows the saved energy of each robot during this process.

#### 5. Conclusion

A reconfigurable and energy-efficient manufacturing system (REMS) is a typical reconfigurable discrete event control system. It allows two kinds of dynamic system reconfigurations: local and global reconfigurations. The former ones are applied to save energy for components, whereas the latter ones are applied to change system configurations according to changed inner/outer execution environments. Meanwhile, normal events should be conditionally allowed to occur simultaneously with these system reconfigurations, such that the system can reconfigure smoothly and safely. In order to easily model conditioned concurrence of reconfiguration events and normal events and represent all interesting system behavior, this paper extends the reconfigurable timed net condition event systems (R-TNCESs) formalism. Original reconfiguration functions are newly assigned with action ranges and concurrent decision functions. Accordingly, the dynamics of R-TNCES is updated. After that, a TNCES-based implementation method for the proposed extended R-TNCES is developed such that automatic model checking can be applied. The verified properties include functional, temporal, and energy properties that are specified by Computation Tree Logic (CTL), extended Computation Tree Logic (eCTL), or Timed Computation Tree Logic (TCTL). An automatic assembly system is used to illustrate the whole work.

In the future, the authors will focus on reasonably optimal reconfigurable control systems that can save more energy and the applications of the proposed method to the crude-oil operation enterprises with huge energy consumption [48].

#### Conflict of Interests

The authors declare that there is no conflict of interests for this paper.

#### Acknowledgments

This work was supported in part by the National Natural Science Foundation of China under Grant no. 61374068 and the Science and Technology Development Fund, MSAR, under Grant nos. 065/2013/A2 and 066/2013/A2.