International Journal of Software Engineering and Knowledge Engineering World Scientific Publishing Company
VERIFICATION OF EMBEDDED SUPERVISORY CONTROLLERS CONSIDERING HYBRID PLANT DYNAMICS
SEBASTIAN ENGELL, SVEN LOHMANN, OLAF STURSBERG Process Control Laboratory (BCI-AST), University of Dortmund 44221 Dortmund, Germany
[email protected] http://astwww.bci.uni-dortmund.de
Received (Day Month Year) Revised (Day Month Year) Accepted (Day Month Year) This contribution proposes a link between the specification of supervisory controllers by Sequential Function Charts (SFC) and the verification of embedded systems with hybrid dynamics. The SFC are transformed into modular timed automata using a procedure based on graph grammars. The resulting controller model is composed with a hybrid automaton (with possibly nonlinear continuous dynamics) that models the plant behavior. In order to verify safety properties of the composed system algorithmically, a tool implementing the recently proposed approach of counterexample guided model checking is employed. The procedure is illustrated for a processing system example. Keywords: Automata, hybrid systems, logic control, model checking, sequential function charts.
1. Introduction While Sequential Function Charts (SFC) are increasingly used to specify and to implement supervisory controllers for industrial applications, the rigorous analysis of SFC programs in conjunction with plant models is still an open issue. Since supervisory controllers often include routines to account for safety-relevant plant situations (as e.g. shutdown procedures in case of equipment malfunction), a demand for systematic analysis of supervisory controllers clearly exists. In recent years, different approaches to formally verify controllers given as SFC have been proposed1,2,3,4,5. The common property of these approaches is that they either only involve very simple plant models given as finite or timed automata, or that plant models are not used at all. Clearly, the avoidance of safety-critical plant states or the attainment of plant goals can only be verified when a sufficiently detailed representation of the plant behavior is considered; finite and timed automata can be too coarse or too conservative for this purpose. This paper thus follows the idea of connecting a supervisory controller that is initially specified as an SFC to a general class of hybrid automata. The SFC is transformed into a timed automaton, the latter is composed with a hybrid automaton modeling the plant, and safety properties of the composition are verified by model checking. Complexity is a crucial point in verifying hybrid systems with nonlinear continuous dynamics – for an 1
2
Sebastian Engell, Sven Lohmann, Olaf Stursberg
efficient verification in this case, we employ the technique of abstraction-based and counterexample-guided verification, as introduced in 6. 2. The Verification Procedure The overall scheme of the verification procedure described in this paper is shown in Fig. 1. The first design step is to specify the supervisory controller based on a set of requirements and an intuitive understanding of the plant behavior. Sequential Function Charts are used at this stage since they have an increasing importance for implementing supervisory controllers for many industrial applications in the processing and manufacturing industries. SFC are particularly suited to formulate sequential behavior, and to distinguish between alternative and parallel (simultaneous) executions. According to the standard IEC-61131-3 7, the building blocks of SFC are alternating sequences of steps and transitions, where actions are associated with steps and conditions with transitions. The right part of Fig. 2 shows the graphical representation of SFC for an example. Rectangles denote the steps (with actions blocks attached to the right), bold horizontal lines the transitions (including conditions), and vertical lines the flow of execution (from top to bottom). Action blocks contain a list of actions of the following type: (a) the simple manipulation of logic variables, (b) the (de-)activation of embedded SFC, or (c) the execution of processes that are limited to a given period of time or that start with a delay. Single horizontal lines in the SFC mark alternative executions, while double horizontal lines enclose branches that are executed in parallel. This controller model is transformed into a set of automata to make it amenable to model-checking. To account for the time-dependency of actions, timed automata (TA) are chosen as the target format (see Sec. 3). The relevant part of the plant behavior is formulated by a hybrid automata according to 8, restricted to the case that all invariants and guards are polyhedral sets and that the reset functions are linear. The communication between the controller and the plant model is realized by synchronization in the direction from the plant to the controller, and by shared variables for the control actions. The modular model is then transformed into a single composed hybrid automaton since this is the required input format of the tool performing abstraction-based and counterexample guided model checking9. If the verification reveals that the composed hybrid automaton satisfies all relevant requirements, the original SFC model of the controller represents the supervisory controller to be implemented. Otherwise the counterexample corresponding to the requirement violation is examined in order to identify in which respect the SFC controller has to be modified.
Fig. 1. Specification and verification scheme.
Verification of Embedded Supervisory Controllers considering Hybrid Plant Dynamics
3
3. Transformation of Sequential Function Charts into Timed Automata The transformation of SFC into TA requires a clear semantics of the SFC. While the standard7 does not precisely define the execution for all cases, we refer here to the semantics defined in 10. Based on this definition, a transformation into timed automata was proposed in 5. The idea of this procedure is to use a graph grammar to first partition the SFC into syntactical units. Such a unit is either a sequence of steps and transitions including alternative branches or a block representing parallel branches of the SFC. By scanning the SFC controller in a top-down manner, a structure of these two types of units is generated and represented as a modular timed automaton model: each of the units is mapped into a single timed automaton, and the activation of the automata according to the execution of the SFC is established by synchronization. The state-transition structure of the automata follows directly from the step-transition sequences of the SFC. The transition conditions, which involve either inputs from the plant or internal variables of the SFC, are expressed by synchronization, too. Finally, the actions associated with the steps are introduced in the corresponding automata, considering that clocks and time conditions have to be used where the SFC contains time-dependent action qualifiers. While the procedure in 5 explicitly models the cyclic scanning mode in which SFC are executed on programmable logic controllers, we here employ the simplified scheme proposed in 11. It considers the scanning mode only if an event from the plant model is received, and transforms delays resulting form the cycle time into modified timing conditions of the TA. Abstracting from the scanning mode when no plant events are received leads to an automaton structure with considerably reduced size, while the model still is conservative. 4. Algorithmic Verification Once the model of the embedded control system is obtained as a hybrid automaton, the method of abstraction-based and counterexample-guided model checking can be applied. The principle of this technique for verifying safety properties can be summarized as follows6: An initial abstract model given as a finite automaton is obtained from abstracting away all continuous dynamics. Applying model checking to the abstract model identifies behaviors (the counterexamples) for which the latter violates the safety property. In a validation step, it is analyzed for these particular behaviors if corresponding counterexamples exist also for the hybrid automaton. If this applies, the procedure terminates with the result that the hybrid automaton does not fulfil the safety requirement. If no (further) counterexamples are obtained or none of the counterexamples can be validated for the hybrid automaton, the safety of the latter is proved. The validation step involves the evaluation of the continuous dynamics of the hybrid automaton, i.e. sets of reachable hybrid states are determined for locations encountered along the counterexample. Each time a counterexample is invalidated, the information about enabled or disabled transitions (according to the reachable hybrid states in the respective locations) is used to refine the abstract model. It has been shown for a number
4
Sebastian Engell, Sven Lohmann, Olaf Stursberg
of examples that this procedure can reduce the effort spent on computing reachable hybrid sets considerably (compared to standard methods). The implementation of this method 9 includes two additional features to improve the efficiency of analysis: (a) The validation step comprises a hierarchy of four different techniques which differ in the ability to refute a transition for the hybrid automaton, and in the computational cost required for their application. The objective is to employ these techniques in the order of increasing costs, to refute counterexamples with the lowest cost possible. (b) As an alternative to arbitrary polyhedra, the tool includes the possibility to represent the reachable set by a series of oriented hyper-rectangles 12. This option usually leads to a relatively small number of bounding faces required to represent the (over-approximation of the) reachable set. Since the reach set computation involves one optimization per face, the computation is relatively smaller than for arbitrary polyhedra (while the overapproximation is adaptable). 5. Application In order to illustrate the complete procedure, it is applied to the case study of a batch evaporation system13. As shown in Fig. 2 (left part), the system consists of two tanks (T1, T2) with heating devices, a condenser with cooling (C1), connecting pipes with valves (V1, V2, V3) and a pump (P1), as well as different sensors for liquid levels (LIS), temperatures (TI), and concentration (QIS). The intended operation is to evaporate liquid from a mixture in T1 until a desired concentration is reached, to collect three batches of the product in T2, and empty the latter afterwards through P1. The right part of Fig. 2 shows a possible SFC-controller which not only accounts for the desired procedure (left branch) but also includes exception routines (right branch) for the cases of heating breakdown in T1 (error1) and malfunction of the cooling device (error2).
Fig. 2. Flowchart of the evaporation system (left) and a supervisory controller given as SFC (right).
Verification of Embedded Supervisory Controllers considering Hybrid Plant Dynamics
5
Fig. 3. Separate automata to model the SFC structure (inputs / outputs and time conditions are omitted).
Since the SFC controller contains two time-dependent actions (marked by 'D#200s' and 'DS#200s'), it is transformed into timed automata following the procedure sketched in Sec. 3. Figure 3 shows the states and transitions of the automata that represent the SFC structure, including the synchronization labels start and finish. One possible verification objective is to check whether the controller avoids safety critical states, which are a critically high or a critically low temperature of the mixture in T1, for the two failure cases. Assuming that a condenser malfunction occurs while the evaporation in T1 runs and T2 is partly filled, the relevant plant behavior can be restricted to three phases: P1 - heating in T1 while T2 is drained, P2 - draining of T2 without heating in T1, P3 - transferring the content of T1 into T2. The corresponding hybrid automaton contains nonlinear differential equations for the temperature of the liquid in T1, as well as the liquid levels in T1 and T2. The verification procedure described in Sec.
Fig. 4. Reachable continuous set: The final set shows that a critically low temperature (x1 = 338 K) is not reached before Tank 1 is empty (x2 ≤ 0.01m).
6
Sebastian Engell, Sven Lohmann, Olaf Stursberg
4 is applied to the composition of all automata. As Fig. 4 shows, a critically low temperature of 338 K is not reached before T1 is emptied, i.e., it can be concluded that the SFC-controller works as desired for this configuration. This result is obtained within a computation time of around one minute on a PC with a 1.8 GHz Pentium-4 CPU. 6. Conclusions The connection of methods for modeling logic controllers as SFC and for verifying hybrid automata offers the possibility to systematically check if the controller satisfies requirements formulated for the hybrid plant behavior. The obvious objective is to create a complete tool chain from the controller specification as SFC to the verification. At present, we have an implementation that converts controllers modeled in an SFC editor into TA, and Matlab routines for the verification of hybrid automata. Implementing the procedure of composing the TA model of the controller with the hybrid automaton in Matlab is a subject of current work. References 1. S. Bornot, R. Huuck, Y. Lakhnech and B. Lukoschus, Verification of sequential function charts using SMV, in Proc. Int. Conf. Parallel and Distributed Processing Techniques and Applications (2000), pp. 2987−2993. 2. K. Fujino, K. Imafuku, Y. Yamashita and H. Nishitani, Design and verification of SFC programs for sequential control, in Computers and Chemical Eng., 24 (2000), pp. 303−308. 3. S. Lamperiere and J.-J. Lesage, Formal verification of the sequential part of PLC Programs, in Discrete Event Systems, (Kluwer Academic. Publ., 2000), pp. 247−254. 4. P. L'Her, P. Le Parc and L.Marce, Proving sequential function chart programs using automata, in: Automata Implementation, (Springer, Berlin, 1998), Series LNCS 1660, pp. 149−163. 5. M.P. Remelhe, S. Lohmann, O. Stursberg and S. Engell, Algorithmic verification of logic controllers given as sequential function charts, in Proc. IEEE Conf. on Computer-Aided Control System Design, (IEEE, 2004), pp. 53−58. 6. E. Clarke, A. Fehnker, Z. Han, B.H. Krogh, J. Ouaknine, O. Stursberg and M.Theobald, Abstraction and counterexample-guided refinement in model checking of hybrid systems, in Int. Journal Foundations of Computer Science, 14(4, 2003), pp. 583−604. 7. Intern. Electrotechnical Commission (Committee No. 65), Programmable controllers − programming languages, IEC 61131-3, (IEC, 2003). 8. T.A. Henzinger, The theory of hybrid automata, in Proc. 11th IEEE Symp. on Logic in Computer Science (1996), pp. 278−292. 9. O. Stursberg, A. Fehnker, Z. Han and B.H. Krogh, Verification of a cruise control system using counterexample-guided search, in Control Eng. Practice, 12 (10, 2004, pp. 1269−1278. 10. N. Bauer, R. Huuck, B. Lukoschus, and S. Engell, A unifying semantics for sequential function charts, in Integration of Software Specification Techniques for Applications in Engineering, (Springer, Berlin, 2004), Series LNCS 3147, pp. 400−418. 11. O. Stursberg, S. Lohmann, and S. Engell, Improving dependability of logic controllers by algorithmic verification. Accepted for: 16th IFAC World Congress (2005). 12. O. Stursberg and B.H. Krogh, Efficient representation and comp. of reachable sets for hybrid systems, in Hybrid Systems: Comp. and Control, (Springer, 2003), LNCS 2623, pp. 482−497. 13. S. Kowalewski, O. Stursberg and N. Bauer, An experimental batch plant as a case example for the verification of hybrid systems, in European Journal of Control, 7 (2001), pp. 366−381.
