Design and Implementation of Runtime Verification Framework for Cyber-Physical Production Systems

. Traditional factories are turning into smart factories with the advent of various ICTtechnologies, and various control decisions are derived by AI technologies. In this circumstance, runtime veriﬁcation of a control command is important for zero-defect manufacturing processes but challengeable because factories of the future are highly complex and heterogeneous systems. In this paper, we propose DigTwinOps, a Digital Twin framework for Runtime Veriﬁcation of Cyber-Physical Production Systems (CPPSs). DigTwinOps features a Digital Twin Execution Engine (DTEE) that manages a Digital Twin Model to synchronize states of a real CPPS object in a production environment. With a monitoring and simulation combination process, a human worker can observe the states of the CPPS object and verify the eﬀectiveness of control commands before applying it to a real production environment. The proposed framework is applied to a CPPS prototype production system, and the results show that the framework can work eﬀectively in the controllability veriﬁcation of control commands.


Introduction
Traditional factories are turning into smart factories with the advent of various ICT technologies such as wireless sensor networks (WSNs), artificial intelligence (AI), and cyberphysical systems (CPSs) [1].With WSNs technologies, machines on a shop floor (a production environment) are getting smarter and more connected [2].Big data collected from the network of smart machines are analysed in an operational environment of the factory, and autonomous decisions can be derived by AI technologies.However, research on how to build a new factory into a smart factory or how to convert an existing factory into a smart factory is insufficient.
erefore, the production environment (the physical world) and the operational environment (a cyber world) should be integrated to build a CPS-based production system, or so-called Cyber-Physical Production System (CPPS) which is an extremely promising technology of Industry 4.0 and an essential component of a smart factory [3].
One of the key issues in CPPS is the management of a control loop, which is the fundamental building block of industrial control systems [4][5][6].It manages the decision cycle (observation, analysis, decision, and action) between the production environment and the operational environment.e control loop consists of all the physical and cyber components to autonomously adjust states of the production environment to equal the value of a desired state [7].Various industrial control network technologies [8][9][10] make it possible to observe real-time states of the production environment.Recent advances in big data and AI technologies have led to the development of AI-based decision-making applications [11].However, applying a control command decided by an AI application to the production environment could be dangerous when the controllability of the decided action is not verified.Controllability is defined as the ability of a control input to move the internal state of a system from any initial state to any other final state.e controllability verification of the control command which is scheduled to be applied to the production environment is important for zero-defect manufacturing processes but challengeable because CPPSs are highly large-scale distributed and heterogeneous systems [12].Several studies have been devoted to developing methodologies for veri cation of CPPS, e.g., Ptolemy [13], ACME [14], DEVS BUS [15], and FILCon [16].Ptolemy, which is a design and veri cation tool for embedded system, provides functionality for analysing networked embedded system behaviours.However, it is di cult to integrate with real manufacturing objects for runtime veri cation.ACME, which is software architecture design and veri cation toolkit, expands functionality for representing and analysing heterogeneity of CPS's behaviours.However, it is only able to verify single system level and lacks precise analysis of physical dynamics.DEVS BUS provides simulation environment for networked discrete event systems.However, not only it requires external modules such as Simulink and HLA-RTI but also it requires additional implementation for runtime veri cation.FILCon is a MESlevel framework which is able to support various manufacturing applications such as monitoring, simulation, and data analysis.However, it lacks precise representation and analysis of physical dynamics because it abstracts behaviours of manufacturing objects under MES level.
In this paper, a novel framework, DigTwinOps (Digital Twin framework for Operation of Cyber-Physical Production Systems) is described, which provides runtime controllability veri cation of a control command of a CPPS application.DigTwinOps manages the ECML-based Digital Twin Model that synchronizes the states of real machines in the production environment and provides monitoring and simulation services to both CPPS application and human worker for verifying the controllability of the decided control action.

System Model
2.1.CPPS Conceptual Model.Cyber-physical systems are coengineered interacting networks of physical and computational components.Figure 1 illustrates a CPS conceptual model de ned by the National Institute of Standards and Technology (NIST) that explains what CPS is and how it operates between the physical and the cyber world [17].According to the CPS conceptual model, CPS manages a series of connected control loops formed in di erent levels of objects, from a smart device to a single system or system-ofsystems.In each control loop, the cyber system observes physical processes and controls the physical processes based on an interactive decision-making process with human actors.
Meanwhile, modern production systems have several layers that comply with control hierarchy levels (a.k.a.IEC 62264 [18]).IEC 62264 classi es the hierarchy of production systems as production environment, machine control, process control, and supervisory control.Since CPPS is a production system that adopts the CPS conceptual model, a conceptual model of CPPS can be illustrated as in Figure 2.Each level has a CPPS application that manages its own control loop that observes states of lower layers and performs interactive decision-making process with a human worker in the same hierarchical layer.Controllability verication of the result of the interactive decision-making is performed by DigTwinOps.To support controllability veri cation, DigTwinOps should provide two high-level functional requirements for the CPPS application and human worker.e rst is monitoring of physical components to observe current states.e second is simulation capability for verifying whether the decided control action can change the state of lower-level components.

Dynamical Modelling of CPPS.
All of the objects in CPPS from smart device to single system and system-of-systems are dynamic systems.Dynamical models are represented as a set of inputs, outputs, and state variables dependent upon past inputs along with the current input.Figure 3 illustrates the classi cation of CPPS objects into four types by governing equations and their relation to the IEC 62264-based control hierarchy level.
First of all, a continuous system (CS) operates in continuous time and its state and input/output variables are all real values.Examples are mechatronics operations in the production environment that are modelled by di erential equations.Second, a discrete time system (DTS) is time varying but also periodic and its state variables are real values.Examples are machine components that have sensors and computation at the hardware level.is kind of system is modelled by di erence equations.e next model is a digital system that is a computer system whose state and input/output variables are all discrete values.Digital systems (DS) such as a machine controller are modelled by a nite state machine (FSM).Most of the computer application programs in a single computing device are examples of this system.Lastly, a discrete event system (DES) is a discretestate, continuous but event-driven system of which state evolution depends entirely on the occurrence of asynchronous discrete events over time.Distributed computing systems such as production systems and their process and

2
Journal of Engineering supervisory control logics are modelled on this level.For modelling DES, Discrete Event System Speci cation (DEVS) is used [15].ETRI CPS Modelling Language (ECML) is a modelling language that supports modelling of the four dynamic systems in Figure 3 in a uni ed environment [19,20].ECML is intended to be a modular, hierarchical, and graphical language for the modelling, analysing, and simulation of systems.Components in each layer of CPPS can be described by continuous/discrete variables and continuous/discrete states with internal/external state transition rules.A target CPPS can be notated/expressed as a set of (a) CPS Structural Models (CSMs) and (b) CPS Behavioural Models (CBMs) in ECML.A CSM is composed of ports, couplings, and submodels corresponding to CSMs and CBMs.A CBM consists of I/O ports, transitions, state variables, and constraints that update the values on its continuous properties.ECML employs the notions of conditional behaviour expressions, discrete-valued ports, continuous-valued ports, event ports, and constant properties, which would enable easier modelling of complex CPS and better performance in simulations.Figure 4 shows ECML and its representations example.

Design of DigTwinOps Framework
Digital twins are virtual representations of physical entities which became very popular in the manufacturing industry.With the advent of various ICT technologies, it is now  Journal of Engineering possible to enable the seamless transmission of data between the physical machinery and manufacturing execution system (MES) and to facilitate the cloud services to monitor, analyse, and optimize machines remotely [21].In this section, we introduce DigTwinOps, a runtime controllability verification framework for CPPS.DigTwinOps features a Digital Twin Execution Engine (DTEE) which manages Digital Twin Models (DTMs), i.e., ECML models of the four dynamic CPPS objects.Each DTM synchronizes states of real CPPS objects in the production environment.Based on the management of DTMs, the DTEE provides monitoring and simulation services to CPPS applications and human workers.e purpose of the monitoring service is state synchronization and condition checking.During this persistent process period, DTEE collects various forms of data from the real CPPS object in the production environment and filters data using the conditions in ECML models.Figure 5 shows the monitoring service scenario of DigTwinOps framework.In this example, a 6-axis robot and a conveyor belt system are controlled by using a robot controller and conveyor controller, respectively, and a production management system carries out supervisory control for the production environment operation.Based on the four dynamical models, the robot and the conveyor system are the continuous system.Sensors in the robot and the conveyor controller are the discrete time system, while control software is a digital system.e production management system is a discrete-event system because it deals with asynchronous discrete events from distributed machinery objects and control systems.DTEE   6 shows the simulation service scenario of the previous production environment in Figure 5.At rst, DTEE inputs a set of prede ned control command to the production management system DTM.en, the production management system DTM sends control signals to related DTMs such as the robot controller DTM and the conveyor belt system controller DTM. e robot DTM and the conveyor system DTM, subsequently, are moving on their relevant controller's command.When the simulation nishes, DTEE creates a simulation result, and the CPPS application and human worker can analyse the outputs of a CPPS model over time for verifying controllability of the decided control action.
Figure 7 shows a DigTwinOps framework design for the collaborative decision-making process of the CPPS application and human worker.e framework is composed of a CPPS controller and CPPS object (machine in the production environment).e CPPS controller is composed of the CPPS application and DTEE.
e CPPS application processes control logic and provides visualization to human workers.
e DTEE provides monitoring and simulation services to the CPPS application and human workers.e DTEE synchronizes the DTMs and its corresponding real object in the production environment.As the DTEE provides a stream of real-time state information of the target, the CPPS and human workers can monitor the status of the target.To provide monitoring service, DigTwinOps uses the MTConnect standard [22], which provides an HTTP/XML-based data request/response mechanism between machine and application.MTConnect is composed of three components: adapter, agent, and application.e MTConnect adapter is attached to a real machine and transfers a sensor data stream to the MTConnect agent.e MTConnect agent is an HTTP server that manages collected sensor data and transfers requested data to the MTConnect application.e MTConnect application uses sensor data for various purposes in an operational environment.
e DTEE is developed as the MTConnect application.
When the CPPS application requests the simulation of selected control commands with the decision-making process, the DTEE analyses the behaviours of the CPPS object when the control commands are executed in the simulation environment and sends the results of simulation data to support the veri cation process of the human worker.With this monitoring and simulation combination process based on the synchronization of the DTM and CPPS object, a human worker can observe states of the CPPS object and verify the e ectiveness of control commands before applying it to the production environment.In the following section, the proposed framework is applied to a prototype production system.

Implementation of DigTwinOps-Based CPPS Prototype
DigTwinOps is applied to the prototype CPPS environment, a exible motor assembly line.e purpose of the CPPS prototype is to produce daily production orders received from ERP and perform supervisory control of the entire CPPS.e production line is composed of a network of 14 xed production cells (FPC) and one transfer robot (TR).Each FPC periodically senses whether a material to be operated has arrived.When the material is ready for operation, the FPC performs its own production process.When the operation nishes, the FPC calls the TR to transfer Journal of Engineering materials to another FPC that is in charge of the next production process.
Figure 8 shows a bird-eye view of the prototype CPPS.e TR shu es in four working positions.e prototype CPPS produces a number of motors, already ordered at the point of production that starts in the morning.Table 1 shows sample production plans and events that occurred in a day.
Production normally begins at 10 in the morning with daily production orders and inventory.Materials come in according to a daily plan, but additional orders come without notice.erefore, when additional orders come in, human workers should analyse the states of current production plans and decide whether the current production strategies  for the TR should be changed.Table 2 shows two preimplemented production strategy models that a human worker can select between the two in the CPPS prototype.All of the FPCs and TR are modelled by ECML, and they are synchronized with real objects in the production environment by the MTConnect standard.On the supervisory control layer of the CPPS prototype production system, the DTEE continuously observes the states of each FPC and TR by managing synchronized Digital Twin Models.When an additional order comes, the DTEE autonomously determines if decision making is required and the simulation module of the DTEE starts simulation with possible production strategy models.
Figure 9 shows Digital Twin Models of a CPPS prototype that are provided to human workers for supervisory control.It shows not only states of CPPS objects in the production environment but also the simulation process and results for human workers to compare and to verify the controllability of possible strategies.Experimental results for controllability veri cation are presented in the next section.

Experimental Results
In the CPPS testbed, the simulation service of the DTEE with two production strategies is activated when an additional order comes at 12:53:01.Figure 10 shows a graph of the expected completion time, comparing the simulation results of the original production strategy 1 to the alternative production strategy 2. e graph shows that the selection of production strategy 2 (20:34) will complete the production orders (24) earlier than the selection of the strategy 1 (20:52).
e reason for this di erence can be found by analysing the transfer route of the TR.In the case of strategy 1, the TR processes an earlier transfer request from all FPCs.In the case of strategy 2, on the other hand, the TR processes a request from the nearest FPC based on the current working position (0∼3).According to Figure 8, there are three FPCs around working position 3.While the TR in strategy 1 that just nished transfer operations to one of the FPCs in working position 3 moves to the other working position (0∼2) if there is an earlier transfer request, the TR in strategy 2 will answer a transfer request if it comes from one of the FPCs in working position 3. Figure 11 shows the transfer route of the TR over the daily production time.
e comparison of the simulated completion time shows that the strategy 2 has better performance for controlling the CPPS testbed.However, the earlier completion time cannot be the only reason for a better controllability metric to evaluate control commands.erefore, we selected two performance metrics in ISO 22400 [23] for the comparison of two production strategies.e rst is comprehensive energy consumption, which is the ratio between all energy consumption in a production cycle and the produced quantity (PQ).e second is production process ratio, which speci es the relationship between the actual production time (APT) over all work units and work centres involved in a production order and the whole throughput time of a production order, which is the actual order execution time (AOET).
Comprehensive energy consumption is calculated by analysing the location and travelling distance of the TR.

Journal of Engineering
According to Table 3, the TR in strategy 1 travels 314 meters while completing 24 production orders.On the other hand, the TR in strategy 2 travels just 288 meters.is means the TR in strategy 2 consumes less energy than in strategy 1. e production process ratio describes the e ciency of manufacturing facilities.In the CPPS prototype production system, both the initial production order time (10:10:49) and the additional production order time (12:53:01) are the same for the two production strategies.Moreover, the actual production time for one production order, which is the sum of throughput time of each FPC and mechanical operation of the TR, is also the same.e only factor that a ects the actual order execution time is the travelling time of the TR due to di erences in production strategy.
erefore, the relative production process ratio can be obtained by comparing the average production time for each item's completion time.Table 4 shows the completion time per item and the average production time for the two strategies.
e simulation results show that it takes 27 min and 10 seconds (1630 seconds) to produce one item when strategy 1 is selected, while it takes only 26 min and 12 seconds (1572 seconds) when strategy 2 is selected as a control command.   is means production strategy 2 has a comparative advantage in terms of production process ratio by 104%; in other words, it produced the same amount in 4% less time when strategy 2 is selected.
e experiment shows that the CPPS application and human workers are capable of observing the real-time states of the production environment and activating simulation when a prede ned issue occurs (additional order requested).By comparing the simulation results for optional control commands (production strategy for the TR) based on the criteria (completion time, production process ratio, and comprehensive energy consumption), the CPPS application and human workers can derive better control commands that help the CPPS promote more of the state, i.e., controllability veri cation.

Conclusions
Current smart factory research is only at the level of partial application of IT technology in production or operational   environments.erefore, research on how to build a new factory into a smart factory or how to convert an existing factory into a smart factory is insufficient.In this paper, the hierarchy of the existing production system is modelled as digital twin, and the framework of DigTwinOps, which uses it to perform monitoring and simulation, is proposed.is framework allows interworking simulations of data from existing factory hierarchies and can be reflected in decision making based on the simulation results of possible control commands.
Usually, manufacturing companies are headquartered in the city, and factories are located on the outskirts.is framework will be located near the factory on the outskirts, which will enable rapid data collection and quick decisionmaking at the site through direct connections to the facility.To do so, however, the facilities will need to be equipped with 5G and other wireless technologies, as well as a data center near the factory where high-performance servers capable of processing and simulating data should be deployed.is is also the shape of the smart factory as part of the fourth industrial revolution.From a security perspective, since the proposed framework will be located in a private network close to the factory and provide abstracted data (e.g., simulated data, production output, and energy consumption) to the manager in the headquarter, there may be security issues in the data exchange between the headquarter and the site.We are considering a structure that stores sensitive data used by the proposed framework in the demilitarized zone (or DMZ that is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks) and allows headquarters to access the DMZ only through VPN (virtual private network).

Figure 3 :
Figure 3: Dynamical models in cyber-physical production systems.

Figure 9 :
Figure 9: Digital Twin Model of CPPS prototype.

Figure 10 :
Figure 10: Comparison of simulation results for the completion time of production orders.

Figure 11 :
Figure 11: e transfer route of the TR over production time.

Table 1 :
Initial production plan and daily events.

Table 3 :
Travelling distance and comprehensive energy consumption of the two strategies.

Table 4 :
Comparison of production process ratio.