Formal Verification of Consistency for Systems with Redundant Controllers
Bjarne Johansson, Bahman Pourvatan, Zahra Moezkarimi, Alessandro Papadopoulos, Marjan Sirjani
TL;DR
This work confronts the risk of two primary controllers arising in redundant distributed control networks by formalizing and validating the Network Reference Point Failure Detection (NRP FD) algorithm with Timed Rebeca and Afra, focusing on the safety property $NoDualPrimary$. It demonstrates that certain failure scenarios can yield dual primaries and introduces Leasing NRP FD as an enhanced scheme that enforces a single primary even under transient disturbances. Through formal modeling, verification, and counterexample exploration, the authors identify corner cases and quantify state-space growth (e.g., 15891 states for Leasing NRP FD with 34053 transitions). The approach provides a rigorous path toward more robust, consistency-preserving redundancy in industrial DCN environments, with potential extensions to dynamic topologies and probabilistic analyses for availability trade-offs.
Abstract
A potential problem that may arise in the domain of distributed control systems is the existence of more than one primary controller in redundancy plans that may lead to inconsistency. An algorithm called NRP FD is proposed to solve this issue by prioritizing consistency over availability. In this paper, we demonstrate how by using modeling and formal verification, we discovered an issue in NRP FD where we may have two primary controllers at the same time. We then provide a solution to mitigate the identified issue, thereby enhancing the robustness and reliability of such systems.