Discrete event systems in such areas as process control, flexible manufacturing systems and computer networks require real time distributed computer control to ...
-
Proceedings of 24th Conference on Decision and Control Ft. Lauderdaie, FL December 1985
WP11 3:45
-
A TEMPORAL LOGIC APPROACH TO REAL TIME CONTROL J.S. Ostroff and WM.Wonham
Department of Electrical Engineering University of Toronto Toronto, Ontario, Canada M5S 1A4 ABSTRACT Discrete event systems in such areas as process control, flexible manufacturing systems and computer networks require real time distributed computer control to ensure an orderly flow of events. A temporal logic framework for the specification, analysis and verification of suchcontrol systems is discussed. Controllers are implemented in the Pascal based distributed language CONIC.
1. Introduction Examples of dicreteeventrealtime systems include processcontrol, flexible manufacturing systems, computer networks, traffic systems and telephone switches. Real time control programs for such systems are in general difficult to understand,writeanddebug [l], asthecontrollers must respondtoeventsthatarisespontaneously in theplant within some hard time constraints. In this paper we outline a temporal logic framework for the specification, analysis and verification of controllers for discrete event systems. A more precise and complete discussion of the framework is currently in preparation [3]. 2. Temporal Logic
We shall present an informal account of how the general temporal logic developed in [2] is specialized to reason about plants and controllers. Anintuitiveinterpretation of thetemporaloperators for predicates p and q is asfollows: o p - p istrue in the next state; O p - eventuallythere will be a state in whichp istrue; U p - henceforth inall subsequentstates p holds;pPq - should qhold at some futurestateit must be preceded by p ; pUq - p holds q becomes true. In order to describe not only states but also events, we set aside one of thesorts of our language torepresent events; the constants of this sort are event symbols such as a,p,y and A is a localvariable of thatsort.Intuitively A represents at any instant the next event that is to occur and whichwill bring the system to its next state [4]. Examples include: A=a - in thecurrentstatethe next event is a; o ( A = a ) - eventually there will be a state with next event a ; t =10 (A=? P t =11) - if in the current state time is 10 ticks, thentheevent 7 must precede any futurestatein which time is 11 ticks. 3. Processes A process Pabstractly is an &tuple P = ( E ,L3?,G,C ,L,,Z,) where E = {a,$,u,...} is a set of (simple) events, L = {LJ’, ...} is a set of locations in which theprocessdwells, b: E X L . L is a transitionfunction which is a partial function defined at each location IcL for a subset of & E . Events are location transitions LJ.>,L*where b(e,L)=L’. The process has a vector of localvariables
T=(z J ’,...) each variable z ranging over its own domain D,. Z is the cross-product of all the D,. G = {g,g’, ...} is a set of guards, namely predicatesinthe local variables I . C = {c,c’, ...} is a set of inputandoutputchannels.Theinitial locationisandtheinitialvalue of thelocalvariablesis the vector Zo. We add to E the following compound events which are used torepresentprograminstructions: f(T) - apply function f to the local variables and assign f(z’) to z’; skip - go to the next location without changing any local variables, ou(d) - wait at the current location up to dticks; ol(d) - wait at thecurrentlocationforatleast d ticks; c?z - receive a message on channel c and put it in the local variable z ; c k - send amessagev onchannel c Associatedwitheach channel c is a set of messages D,. In c!v and c?z both v and z must have values in D, . Compoundeventsare usually guarded.Thustheprocess transition L g f(F)>L* means thatif the guard is true then the edge is instantaneously traversed while replacing T by f (F).
.
-
4. Examples of Processes A clock C which ticks with event 7 infinitely often may be written as: 7 7 7 0 -,1.- 7 ---+ 2-- .---3-.-+ ... This process has no channels, guards or local variables. The location variable is t which ranges over the natural numbers and the event set is (7). A level detector HIfor a tank is y 3 2 - i
L
~~2245-918510000-0656 51.00 0 1985 IEEE
/a1
%
‘\._a4 ”i-.a3/’
where L = {L(ow),N(ormal),H(igh)}andthelocationvariable is x l e L . The events are a1 = level goes high, a2 = level goes low, and a3 and a4 are a return to normal. A pump Hz to pump water out of the tank is ‘x.
$3
84
-
-
N
-,*
%-F- I c? p2
.,_
where L = {I(dle),P(ump),F(aulty)} andtheevents are and p2 to start or stop the pump, $3 is a pump fail and $, is a recover t o normal. The event c?$1 means that the pump is Idle until it receives a command over channel c to start the pump. A controller K which may beimplementedinthe Pascal-based language CONIC [q is given in the next figure, where g is the predicate (z = y ) or (z =N). The locations are L ={&,K lr...,KS},the initial location is 1 =KO and the initial
656
value of thelocalvariablesis (z y)=(N,N). Thechannels are C ={ml,c} wheremlisoninputchanneland c is an output channel.
zero and thereafter the clockwilltickinfinitely often. We may now write C = {ACl,AC2}. In general any process P is completely described by the set of all its transition and liveness axioms. example of a liveness axiom withreal e constraints for a processwithtransition L g L’ is [ = L & g & t = T - 0 ( A = f ( z ) t&S T + T g w f )h e r e T8, =T, +Tf. The function f iscomputed in time Tf and the guard g is evaluated in time T, . 7. Plants and Controllers Let the plant consist of the tank level detector E1 and the pump H, to empty the tank, as described in Sect. 4. Thecontrollableeventsare p1 and p2 in Hz because theseevents may be commandedoverthecontrolchannel c by the controller K. All the other events are uncontrollable and occur spontaneously. The controller will need to scan the state of the plant. To achieve this, add the event ml!xl as a transition at each locationin H,; i.e. forall LCL h(m,!xl,L)=L. Similarly, the transition function for H2must be defined at each location for the event rnz! x 2 . Ifwe define H1 and H, by theirrespectivetransition and liveness axioms as described in Sect. 7, then the overall plant is II=RIU Hz.
- fY4 ~
g- y:=z
5. Process TransitionAxioms
-
e,L’ ina processthefollowForeachtransition L ing axioms apply. (APl) If 8 is a simple event, skip, wu(d) or wl(d) then (A=e) & +[/ :L’]
-
(I =L) & g &
O+
where 4 is any predicate (containing no temporal operators) inwhich the next event variable A does not occur. Let v be anyvariableand e any expression.Then d[v:e] denotes the formula obtained from by replacing all occurrences of v with e. ( A n ) If 6 is f ( i ) then
+
(A=e) & +[/ L’, i:f ( i ) ]
-
( I =L) & g &
04
Except for the communication events, the process functionsasynchronouslyandindependently of other processes. For a communication eveq,t however, the receiving process g, c.i withtransition L,~----+.L,’ must re denous with the sending process with transition L, gJ ,L,’. Thecompositeevent c(v,z) is performed in which boththesending andreceivingprocess synchronously maketheirrespective transitions.Theeventc(v,z) is essentially a distributed assignment v:=e.Sincesendandreceiveinstructionsare always executed in matching pairs, each has the potential to block the other [a]. Inordertomodelplants,weallow v to be a simple event and put v=z as in processes K and H2 where we have the events c!p and c?p. In this case the composite event is c(B)* (AP3) If 8 is a communication event c(v,z) then
-
-8v
A = e & +[I,Lr’,I,L,’~:v]
-
91,
)=(Lr , L s ) &
gr
&
gr
& (V J ED,)
&
04.
If 8 is a communicationeventc(p)thenwehavean axiom (AP4) similar to ( A m ) but without the assignment of v to z in
+.
6. Time By allowing the clock C of Sect. 4 as one of the asynchronousprocesses,wecanmakequantitativestatements about time. Inadditiontothetransition axiom Apl as appliedto the clock (call it A C l ) we also require a liveness axiom. ( t -0) & U O ( A = r ) (AC2) A 4 0 where eo is the initial start or reboot of the system. (AC2) assertsthatwhenthe system is started,theclock is set to
-
8. Specifications
We give example an of liveness a and safety specification for required closed loop plant behavior.
-
(SR1) (A=al) & (xz=I) & (t =T) O(A=c(pl) & rST+T,). SR1 is a liveness specification that requires the pump to be turnedonwithin a responsetime Tr afterthetank level goes high, should the pump be Idle. (SR2) (A=@,) or (A=c(pl)) OIA=alPA=c(pl)]. SR2 is a safetyspecificationthatrequiresthatthere must not be an unsolicitedcontrol signal toturnthepumpon unless itis preceded by the tank level going high. For the given plant and controller the required specification is satisfied. Moreover,safety specifications of the type SR2 are in general .decidable with polynomial complexity for finite state machines [3]. REFERENCES [l] Bernstein A., Harter P.K., 1981. Proving realtimeproperties of programs with temporal logic. ACM SIGOPS 8th Annual ACM Symp. on Operating Systems Principles. California,December. [2] Manna Z . , PnueliA., 1983. Verification of concurrent programs: a temporal proof system. Report No. STAN-CS-83-967, Dept. of Computer Science, Stanford University, June. [3] (In preparation). Ostroff J.S. A temporal logic approachtorealtimecomputercontrol.PhD.Thesis. Dept. of Electl. Engrg., University of Toronto. [4] Thistle J.G., 1985. Controlproblems in a temporal logic setting. M.A.Sc. Thesis.Dept. of Electl. Engrg., University of Toronto, January. [5] Kramer J . etal., 1984. A software architecture for distributedcomputercontrol systems. Automatica, vol. 20, No. 1, January. [6] Hoare C.A.R., 1985. Communicating Sequential Processes. Prentice Hall.
-
657
