Formal verification of ontology transformation for distribution network information model based on meta-model theory

: This study presents a formal description and verification method of the ontology transformation process of the distribution network information model based on the meta-model theory. By defining the dynamic change structures and model mapping constraints of the ontology transformation process of distribution network, a formalised specification for describing the key attributes of model updating and model mapping processes was constructed. The model updating and model mapping instances were specified using model checking verification tool SPIN. The method fundamentally guarantees the standardisation and reliability of the model ontology transformation process achieved by the meta-model.


Introduction
The expanding smart distribution grid requires the information model of a distributed network to transform to keep up with the development of gradually updating business modes. Procedures such as the transmission of model changes and mapping of heterogeneous models can be achieved by a reliable media model structure provided by the meta-model theory. This kind of structure is not only capable of reflecting whole information of model changes but also serves as a model of superior level defining mapping specification which achieved the combination of distributed data structure and semantics [1][2][3].
Traditional methods for the verification of programming logic are generally based on testing and simulation. This kind of method shares the innate defect that it is only capable of specifying errors but not proving the correctness of the logic process. This defect is due to the fact that examples used in testing and simulation usually cannot cover all possible situations perfectly. Furthermore, the operating of most systems is influenced by the external environment and possesses the characteristic of uncertainty. As a result, the verification of the programme is relatively difficult and expensive. To ensure the correctness and reliability of the logic process, a group of scientists in computer science believes that adapting formal methods in the verification and analysis process of the logic process is one of the most important measures of guaranteeing the safety and credibility of systems [4][5][6].
Formal methods have been used to verify whether the information model of a smart distributed network possesses expected semantic features [7][8][9]. Using underlying logic and semantics derived from ontology rules and propositions, formal definitions and logical descriptions have been constructed for elements in the information model such as objects, logic, and scenes [10]. In general, the formal modelling and verification method of an information model for the distribution network describes the static rules and semantic characteristics of objects in the electric power system.
On certain occasions, the model needs to be changed to meet new demands. For example, in different business systems when one system model changes and needs to transmit to another system, the latter system needs to be adjusted accordingly to achieve the synchronisation between the two systems, and the unity of distributed data structure and semantic. The static semantics of power system objects are not enough in the verification problem of model updating and model mapping. Therefore, a detailed media model needs to be established to reflect all the information on model changes. Being compatible with the existing model management methods, the latter model should be able to identify the updated information correctly and make the corresponding changes in data structure and storage schema [11].
When two heterogeneous models are merged, a higher-level model needs to be established between models with different modelling methods and formal protocols to define the mapping specifications and to realise the conversion of semantics and data between different models [12][13][14][15].
Aiming at guaranteeing the safety and credibility of model transformation processes described by the meta-model theory, the formal method is applied as the verification procedure. The motivation of this research is to construct the formal verification method for model transformation which can ensure the logical correctness of model updating and model mapping processes.
In this paper, we introduce the formal method into meta-model theory, expecting to verify the correctness and credibility of model transformation procedures such as updating and mapping. Model updating and model mapping processes are essential to model transformations in the model-driven architecture. Model updating mainly refers to the adjustment of the original model structure while model mapping focuses on the conversion from one model to another with bidirectional conversions. In consideration of these features, we construct the formal axiomatic system including formal definitions and verification rules. Formal verifications create descriptions for operating elements of the meta-model such as objects, attributes, relationships, accessibility, and type discrimination. Verification rules mainly express the basic logical rules which must be satisfied when conducting operations on model elements, such as transitivity of updating, reversibility, and reflexivity of mapping.

Meta-model layer structure
The meta-model generally refers to the semantics, methods, and processes that construct the model. It stores, exchanges, and transforms the completed model data and is referred to as the model of models [16]. The meta-model defines the meta-class structure and logical constraints, so it has the capability of defining the model structure and constraints. Construction of the model refers to expressing the dynamic structure of a single model, i.e. to describe the model update process. Constraining the model refers to specifying the semantics of mapping relationships between multiple models, i.e. to describe the model fusion process.

Dynamic change construction
The dynamic change of a model means the model elements can change as needed at any moment, such as adding objects and attributes, constructing logical relationships among new objects [11]. The continuous update of the distribution network information model has undergone numerous dynamic changes in the construction process, making the description of power system objects more reasonable and the semantics of expression more rigorous.
The meta-model should be able to record and trace all the details of the demand-guided model changes accurately and can express the objects and processes in model construction [15,17,18]. As shown in Fig. 1, the dynamic characteristics of the model are described by the meta-model according to the change of demands. The information model of the smart distribution network is updated from the top to the bottom. The semantic and structure of data are changed in the model layer, ultimately affecting the system data service in the integrated environment.
Therefore, the meta-model can adjust the functional modules of all layers even the whole system according to demands such as model and data splitting and integration, abstraction, and application. As a result, the distribution network information system is synchronised with the model update [19].

Model mapping constraints
The distribution network information model is based on the public information model and is compatible with other models that describe different objects and fields at the same time. Its power system abstraction is different from the common information model (CIM). The CIM takes grid model objects, logic, and fields as its basic elements. Other models may include multiple control targets in an entity device or require multiple entity devices to cooperate to accomplish specific control objectives. There is a fundamental difference between the model structure and semantics caused by modelling theory.
The physical characteristics and application requirements of the power grid both require that a large number of heterogeneous models be merged and the model isolation caused by different modelling methods be eliminated to construct an interconnected model as a whole [11]. Model-level operations can only solve the model semantic differences, but not fundamentally achieve model integration. Therefore, the meta-model for mapping heterogeneous models needs to be defined [12], and relevant protocol needs to be founded to guide the integration and transformation of model and data (Fig. 2).

Formal definitions and rules
Model updating and model mapping are essentially model-driven system transformation processes [20]. The updating is to adjust the model on the existing structure, and the mapping is to change the model from one structure to another conserving the bidirectional conversion capability [21]. The meta-model is the framework modelling the model, namely the methods, steps, and rules applied in the transformation.
Definition. Meta-model: The meta-model of the distribution network model M is MM. The meta-model for model updating is MM u , with the corresponding instance mm u i , representing the ith update of model M. The meta-model for model mapping is MM p , the corresponding instance is mm p N j , representing the mapping from model M to model N j : The formal rules about model updating and model mapping are listed as follows: Rule-A. Model updating: According to the definition of instance mm u i for model updating meta-model MM u , model M transforms into the state after the ith updating processes. It still conforms to the formal rules of the original model M M is the model. mm u i represents the ith update of M and is one of the instances of MM u . M i − 1 is the model after (i−1) updates. Traf refers to the model transforming method, Unlike model updates, model mappings do not change the model itself, but rather define the syntax and structure details of the transformation from one model to another through meta-model instances [22][23][24].
Rule-B. Model mapping: The part to be mapped in the distribution network model M conforms to the formal rules of model N after the mapping process mm p N from M to N, vice versa: M is the model. N j is the jth model to be mapped with model M. φ N j is the method determining the agreement degree of model N j . φ M is the method determining the agreement degree of model M.
Inference: Self-mapping for the model always meets the specification [25], namely  [26,27]: Given any two versions of the model, V 1 and V 2 , then the updating process from V 1 to V 2 is Rule-D. Elimination rule: In the ith update mm u i of a model, a certain object o is added. In the jth update mm u j , object o is eliminated. Then it is considered that this object is not added Add is the two-dimensional parameter method to determine whether o is added to mm u i . Del is the two-dimensional parameter method to determine whether o is deleted from mm u i . φ M judges whether object o belongs to model M. o represents the object, attribute, or logic.
Rule-E. Cover rule [28]: In the ith update mm u i of a model, an initial value λ 1 is assigned to a certain attribute a. Later, in the jth update mm u j , another value λ 2 is assigned to a. Then the attribute a is eventually equals to λ 2 Set a, λ 1 , mm u i ∧ Set a, λ 2 , mm u j → Init a, λ 2 Set is the three-dimensional parameter method judging whether attribute a is assigned with value λ in the instance mm u i . Init is the two-dimensional parameter method judging the initial value of a.
Rule-F. Progressing rule: In the ith update mm u i of a model, a certain object o is moved. In the jth update mm u j , object o is moved to another location. Then the object is moved from the original location to the location after mm u The move is the three-dimensional parameter method judging whether o is moved to position θ in instance mm u i . The post is the method judging whether o is moved from the initial position to the ultimate position.
Rule-G. Safety deletion rule: A class can be safely deleted only when all the attributes are concluded and all logical relationships with other classes are deleted [21].
For any specified two versions of the model, the updating mode can be inferred from the combination of several intermediate processes ⋃ i = 1 n mm u i , satisfying the formal inference rules A to G. Rule-H. Direct mapping: An object o in model N j can be directly mapped into an existing object in another model M, which is called direct mapping Rule-I. Indirect mapping [29,30] Conceptionally consistent means identical under the modelling semantics, judged by index set describing the properties of modelling objects [16]. M is the model.

Case study
We use the model updating process of the CIM and the model mapping process between CIM and non-CIM models as the exemplifications for this research.
The meta-model theory focuses on the semantics, methods, and processes concerning the changes and fusions of models. The meta-model is the model of models. Formal methods are used to create formal models and specifications for the target model, perform verification, and use the result to guide the revise of the target model. Both meta-model theory and formal methods regard models as research objects. Hypothetical as they may seem, these cases are the actual research objects of meta-model theory and formal methods and have been used in practical engineering projects guiding model revises and ensuring logical correctness.

Model updating
As an example of the semantic transformation of the model updating process, we select the Feeder model in different CIM versions for analysis. The operations are carried out according to the meta-model theory, such as the increase and decrease of classes and attributes, the evolution of the relationship among objects, the localisation and extension, and the simplification of the scene. The formal method is used to validate the logic process, which confirms the correctness and reliability of the model updating process.
(i) Model update process (a) CIM12v2: The Feeder is the sub-class of collection, in parallel with the network data set. The circuit class is used to represent the Feeder and the circuit section class is added converges to the circuit, as shown in Fig. 3. Circuit aggregates the power system resource class, which is associated with the substation class. (b) CIM14v11: The circuit class is not only a collection of data but also a logical device container, so it is modified as a subset of the equipment container. Circuit section class directly inherits from the identified object. Considering that the description and function of the circuit are very similar to that in the class Feeder, the circuit class is replaced by the Feeder class and included in the Wires Ext package of IEC 61968, as shown in Fig. 4.
(c) CIM15v20: The CIM replaces the Feeder class with the circuit class. The problem is that the combination of the circuit and circuit section coincides with the combination of Line and ACLine segments. Therefore, the circuit and circuit section are deleted. Relevant concepts are uniformly described by Line and ACLine segment, as shown in Fig. 5.
(ii) Model updating meta-model (a) CIM12v2 to CIM14v11: The Feeder class is added to the model. The generalisation logic between the Feeder and equipment container is established, together with the association with the circuit section. The source of this association is circuit section with base 0,…, ∞, and the terminal is Feeder with base 1,…, ∞, as shown in Fig. 6. (b) CIM14v11 to CIM15v20: The Feeder class is deleted from the model. Line and ACLine segment are combined as a substitute for the Feeder. Since the Feeder class contains attributes that are logically linked to the other two classes, deleting the Feeder class includes removing the logical relationships with other classes, as shown in the following model updating meta-model (Fig. 7): unlike adding an object in CIM12v2 to CIM14v11 updates, deleting an object must first delete its attributes and relationships. Therefore in Fig. 7, the steps of deleting attributes and relationships need to be done separately instead of embedding in the deletion of the class. Removing the Feeder attributes and relationships is similar to the Feeder addition mentioned above, the meta-model instance is not duplicated here.
(iii) Formal verification: The update of the Feeder model from CIM12v2 to CIM15v20 can be considered as the combination of two sub-updating processes: from CIM12v2 to CIM14v11 and from CIM14v11 to CIM15v20.
By Rule-C (see (14)) Add Feeder, mm u Secondly, the logical relationship is established between objects typedef CIM{mtype class; mtypegenl; mtype asso; mtype agrg; } By analogy, the logical specifications are constructed between Genl c 1 , c 2 , Asso c 1 , c 2 , Agrg c 1 , c 2 and the formal description of CIM12v2, CIM14v11, and CIM15v20 is completed gradually. On this basis, the two model updating processes CIM12v2 to CIM14v11 and CIM14v11 to CIM15v20 are described in SPIN according to the meta-models described by (12)- (15). Finally, we put forward the logic that needs to be validated. That is after the two model updating processes, the related attributes of Feeder do not exist in the final version of the model and no class is logically associated with Feeder Equation (18) Fig. 8.
From the verification results, we can see that no errors (errors: 0) have been found after an operation of depth 1499 (depth reached: 1499). That is after a limited but sufficient number of model tests, the verification tool has reached all possible states in the state space of the local model. Applying the rules, the static attributes and the logical relationships among the three versions of models are validated, and the rationality of the dynamic operation process in the model updating meta-model is verified.
The SPIN verification tool stops the verification run after enough times of model checking have been performed that the Linear Temporal Logic (LTL) formula is validated without deadlock, starvation, or other unsafe conditions. The conclusion Feeder and there are no classes that are logically associated with Feeder (Fig. 9).

Model mapping
For the fusion of heterogeneous models, we select two heterogeneous Bay models as an instance, as shown in Fig. 10. Matching the model elements according to their differences, the correctness of the mapping is guaranteed through the formal verification process. The result of the meta-model operation is to synchronise the data structure and logic syntax of these two heterogeneous models.
A large number of models have been put into operation using a database-like table structure, where the definitions and attributes related to all description objects are put into the same class without a reasonable abstraction and division, as shown in Fig. 10, non-CIM transformer bay model. However, CIM is based on the objectoriented UML language and uses the modelling relationships of generalisation, aggregation, and association to express the logical relationship between objects.
By Rule-H Bay . subsName ∈ NonCIMBay → ∃Core:: Subs . name ∈ CIMBay Bay . bayID ∈ NonCIMBay → ∃Core:: Bay . mRID ∈ CIMBay (20) Bay . bayName ∈ NonCIMBay → ∃Core:: Bay . name ∈ CIMBay (21) Bay . busCon ∈ NonCIMBay → ∃Core:: Bay . busBarConf ∈ CIMBay For mapping objects that cannot be directly mapped to a corresponding target, the indirect mapping meta-model needs to be constructed through logical relations between the objects. Although indirect mapping is more complicated than direct mapping, it does not lose model information because of the change of mapping mode. By Rule-I (see (23)) . Thus, subsName, bayID, bayName, and busCon in the non-CIM bay model are mapped into related properties Sub.name, Bay.mRID, Bay.name, and Bay.busBarConf in the CIM bay model under direct mapping. The indirect mapping method maps the ratedV in the non-CIM bay model to related properties in both the VLvl and baseV classes in the CIM bay model.
The SPIN tool is used to verify the logical reasoning of the above model mapping process. The verification results are shown in Fig. 11. The verification results show that no errors (errors: 0) are found after the model has undergone a mapping operation of depth 3148 (depth reached 3148 times) (Fig. 12).
The correctness of the dynamic mapping process from the non-CIM bay model to the CIM bay model is verified.
Owing to the state space explosion problem caused by an enormous quantity of objects, attributes, and relations in different models, verification of the model mapping process is quite complicated. Under the limit of current computing resources, conducting formal verification for more specific model cases is beyond achievement yet.  Bay . ratedV ∈ nCIM ∪ Core:: baseV ∈ CIM ∧ Core:: VLvl ∈ CIM → φ nCIM Bay . ratedV, Core:: baseV ∧ φ nCIM Bay . ratedV, Core:: VLvl In conclusion, we have successfully extended the application of the formal method from describing static rules and semantic features of power system objects to verify the dynamic model transformation process. This will enlighten the research of modelling and verification methods for the smart distribution grid and power system.