UML’03
Stochastic Evaluation of the 1st Axxom Case Study
Holger Hermanns Yaroslav S. Usenko (Saarbrücken & Twente) (Twente)
with contributions of Henrik Bohnenkamp, Joost-Pieter Katoen, Angelika
Mader (Twente)
22
ÜberschriftÜberschrift
28.11.2003 Axxom Software AG Seite: 2
Demonstration Model of a Laquer Production
Quality Check
Pre-dispersion/Dispersion
Dose Spinner
Mixing Vessel
Filling Stations
The 1st AXXOM Case Study revisited
NIVERS ITY OFU D ORTM U ND
Pipeless Plant
• Mixing vessels move between stations• Plant topology (paths, collisions) is not described and not
modelled here.• Multiple equal resource instances
MixingVessel
Pre-dispersion DispersionFilling station
Quality checkDose Spinner
Filling stationDose Spinner
MixingVessel
MixingVesselMixing
Vessel
MixingVessel
33
Problem Statement
Axxom case study -questions
Angelika MaderUniversity of TwenteQuestion 3: AVAI LABI LI TY
problem: machines break down f or a certain amount of time (say 50%)
solution: extend the production time of a product requiring this machine (say f actor 2)
question: is this the right way to deal with this kind of probabilities?
44
Availabability factor:
• reflects the fraction of time the machine is operational.
• only used if no model of operation hours is available.
• An availability factor of 0.8 extends the occupation times used for planning by a factor of 1/0.8, i.e., 1.25.
Performance & Availability FactorsPerformance factor:
• reflects unpredictable
perturbations of the production process.
• A performance factor of 0.8 extends the occupation times used for planning by a factor of 1/0.8, i.e., 1.25.
A six-hour disperser
job is scheduled for 14 hours
55
Our View
Both the performance and the availability factors relate to unplanned or unplannable pertubations of the production process.
They reflect random influences with partially known characteristics.
This holds in particular for the performance factor, and to a lesser extent for the availability factor.
66
0 6 14 20 28 34 42 48 56
Anticipated behaviour:
Risk:
0 6 14 20 28 34 42 48 56
Behaviour of a single machine
0 6 14 20 28 34 42 48 56
Scheduled behaviour:
77
Our Approach
Develop a model reflecting the stochastic perturbations.
Use this model to study a-priori computed valid schedules.
Quantify the risk to violate the schedule, andto miss deadlines.
Note: different valid schedules may differ w.r.t. these risks.
This provides means to rank valid schedules.
We exercise this approach using Modest.
88
MoDeST (1)
Semantics of MoDeST: STA,
‘stochastic timed automata’,
a model made up fromtimed automata with deadlines [Alur/Dill, Bornot/Sifakis]
stochastic automata [D’Argenio/Brinksma/Katoen]
probabilistic automata [Segala/Lynch]
u(y240)
get_prod
no_price100
2
100
98
cash
set_price
tauy:=0
w(y120)
cash
A specification formalism for
Modelling and Description of
Stochastic Timed sytems
99
u(y240)
get_prod
no_price100
2
100
98
cash
set_price
tauy:=0
w(y120)
cash
xd:=U[10,20]x:=0
u(xxd)w(xxd)
MoDeST (2): syntax
1010
A schedule, produced by A. Mader
29 jobs, grouped into 3 jjoobb types,each job type is composed of multiple partially concurrent tasks, running on 11 different ‘mmaacchhiinneess’.each job has a deadline of 336 hrs (2 weeks)
a job
a task
job types
machines
deadline
1111
process TP2_machine() // Disperser
{ clock w,y;
float br,r,work,deadline;
do{::
when (TP2_work>0) act_work_TP2 {=
work=TP2_work, TP2_work=0, deadline=TP2_deadline,
w=0, //current working time
br=Rand(...) //next time to break
=};
do
{ :: when (cjobs>=deadline) act_error_TP2 {= TP2_done=2 =}; break
:: when (br>=work && w>=work) act_done_TP2 {= TP2_done=1 =}; break
:: when (br<work && w>=br)
act_break_TP2 {= work-=br, r=Rand(...), y=0 =};
when(y==r) act_repaired_TP2 {= w=0, br=Rand(...) =}
}
}
}
idle
work
down
[w=br && br < amount]
br:=Random(...)
w:=0
[amount < br && w = amount]
[y=rep]
break
rep := Random(...)
y:= 0
amount -= br
done
fix
br:=Random(...)
work(amount,deadline)missed
[cjobs > deadline]
Machines in Modest
1212
Jobs (type 2)process Job_type2(int number, float starttime, float earliesttime, float deadline){ int mv=0,ds=0; // which mixing vessel and dose spinner will we get?
clock c;
when(cjobs==starttime) tau {= ii+=1 =}; // starting time according to the schedule
// disperser for 27when(TP2_lock==0) tau {= TP2_lock=1, TP2_deadline=deadline-49-26-2, TP2_work=27 =};when(TP2_done>0) tau {= TP2_done=0, TP2_lock=0 =};
// Lock an UNI mixing vesselalt{
:: when(MVU1_lock==0) tau {= mv=1, MVU1_lock=1 =}:: when(MVU2_lock==0) tau {= mv=2, MVU2_lock=1 =}
};
// Two parallel activities:par{...
};...// are we on time?alt{
:: when(cjobs<=deadline) tau {= d+=1, dd+=1 =} ; INC_j(number):: when(cjobs>deadline) tau
}}
1313
Schedule violations vs. deadline misses
schedule violation risk:
profit from slack in schedules:
allow tasks to grab machines as early as possible,respecting scheduled order (not timing).
allow tasks to happen later than scheduled,unless job deadline miss is for sure.
recover from schedule violations:
It seems wise to
1414
The systempar{
:: ABF1_machine() :: ABF2_machine()
:: TP2_machine()
:: DOK1_machine() :: DOK2_machine()
:: DVT1_machine( :: BR1_machine() :: HDL1_machine()
:: MVU1_machine() :: MVU2_machine()
:: MVM1_machine() :: MVM2_machine() :: MVM3_machine()
:: do {:: tau {= i+=1, d=0, cjobs=0 =};
par{
:: Job_type1(17, js17, 101, 101+336)
:: Job_type2(15, js15, 52, 52+336)
:: Job_type2( 5, js5, 191, 191+336)
:: Job_type2(14, js14, 274, 274+336)
:: Job_type2(18, js18, 278, 278+336)
:: Job_type2( 4, js4, 388, 388+336)
:: Job_type3(28, js28, 276, 276+336)
};
INC_d(d)
}
}
1515
Intermezzo: Stochastic Perturbations
It is natural to interpret the availability/performance factor as the ratio of time the system is available/performing.
In the dependability context this ratio arises as:
So a factor of, say, 0.8 relates MTBF and MTTR:
If MTBF and MTTR are given, the best probabilistic approx- imation is obtained with negative exponential distributions, para- metrized with these mean durations.
Unfortunately, the means are not given, only their ratio.
Mean time between failures
Mean time to repair
1616
MoDeSTcompiler
Discreteevent
simulator
0
20
40
60
80
100
TorXCADP Spin
Uppaal
RapturePrUppaal
Prism
Mobius
Other tools’outputs
APNNE MC2
Prism
CADP
T
MOTOR
0
20
40
60
80
100
1717
What we considered
1818
What we considered
Caution: Unfair comparison
A six-hour disperser
job scheduled for 14 hours
but not in these schedules
1919
Some comparative results
Successful jobs
0%5%
10%15%20%25%30%35%40%45%50%
none 1 2 3 4 5 6 7
Schedule 1
Schedule 2
Schedule 3
Schedule 4
Job success probability
2020
Some comparative results
50%
52%
54%
56%
58%
60%
62%
64%
66%
68%
70%
1.0000 0.3160 0.1000 0.0316 0.0100
Schedule 1
Schedule 2
Schedule 3
Schedule 4
Job success probability
“pace”
2121
A detailled view into schedule 1
Individual job success probability
0.0000%
20.0000%
40.0000%
60.0000%
80.0000%
100.0000%
120.0000%
1.0000 0.3160 0.1000 0.0316 0.0100
job4
job5
job14
job15
job17
job18
job28
“pace”
2222
Compare:
2323
Conclusion
Stochastic machine model for 1st Axxom case.
Allows ranking of schedules.
Provides deeper insight into schedule particularities.
Depends on more than just the perf./avail. factors.
Motor is an early prototype. First (semi-)serious application.
2424
Perspective
9Kim G. Larsen b
UPPAAL 1995 - 2000
1994
1995
1996
1997
1998
1999
2k
Dec’96 Sep’98
Every 9 month10 times better performance!
Well, at least Motor has quite some potential for a similar improvement in the next decade.