Formal Reduction of Interfaces to Large-scale Process Control Systems

International Journal of Automation and Computing

04(4), October 2007, 413-421 DOI: 10.1007/s11633-007-0413-9

Formal Reduction of Interfaces to Large-scale Process Control Systems Walter Hussak∗

Shuang-Hua Yang

Department of Computer Science, Loughborough University, Loughborough LE11 3TU, UK

Abstract: A formal methodology is proposed to reduce the amount of information displayed to remote human operators at interfaces to large-scale process control plants of a certain type. The reduction proceeds in two stages. In the first stage, minimal reduced subsets of components, which give full information about the state of the whole system, are generated by determining functional dependencies between components. This is achieved by using a temporal logic proof obligation to check whether the state of all components can be inferred from the state of components in a subset in specified situations that the human operator needs to detect, with respect to a finite state machine model of the system and other human operator behavior. Generation of reduced subsets is automated with the help of a temporal logic model checker. The second stage determines the interconnections between components to be displayed in the reduced system so that the natural overall graphical structure of the system is maintained. A formal definition of an aesthetic for the required subgraph of a graph representation of the full system, containing the reduced subset of components, is given for this purpose. The methodology is demonstrated by a case study. Keywords:

1

Finite state machines, process control, temporal logic, user interfaces, user modeling.

Introduction

The internet offers a great platform for establishing distributed large-scale monitoring and control systems. Such systems can be controlled remotely by a number of operators located anywhere in the world. Each might be given responsibilities for the operation of different parts of the system. The basic problem when designing the interface for a remote operator is to decide which information to display. One of the main challenges is to design the interface so that the operator is able to realize quickly if certain situations are occurring in the system. A large number of components along with intricate interconnections can congest an interface and visually obscure information that is important at a given point in time. In addition to this, requests for large amounts of information in the interface increase the transmission load over the internet and limit the scope for concurrency between interfaces requiring a consistent view of common data. As a result, the speed of communication may be slowed down compounding the slower response of the operator if information is obscured. Human factors researchers have suggested various solutions to the problem of large amounts of information at operator interfaces, including structuring mechanisms[1] , hiding[2] and dialogue cycles[3] , and tools have been produced to put these solutions into practice[4, 5] . The objective of this paper is to use formal methods to reduce the number of components to be displayed at operator interManuscript received November 29, 2006; revised March 27, 2007 This work was supported by the Royal Society in the UK (No.2004R1). An initial study appeared in Proceedings of IEEE International Conference on Systems, Man and Cybernetics, the Hague, Netherlands, pp. 124–129, 2004. *Corresponding author. E-mail address: [email protected]

faces, for a certain class of scaled-up process control plants, by eliminating them altogether from the display. Formal methods have been used in several ways for interface design, including cognitive modeling and task analysis[6, 7] . Most uses have been with small systems and have focussed on analyzing complicated user interaction to produce better interfaces. This is in contrast to large systems where, even when interaction is straightforward, there is the significant problem of managing the sheer quantity of data. Formal methods have also been used in process control engineering for specification and verification mainly of programmable logic controllers where there is no need for human interaction[8−17] . Many have used finite state machines and temporal logic[18] along with associated model checkers[19−21] . We will use formal methods to model the components at a human operator0 s interface to a process control system, specifying as a finite state machine how the state of these components changes in time according to the behavior of the system and other human operators. A condition expressed in temporal logic will check whether the state of certain components can be determined from that of others. If so, not all components need be displayed and the interface is reduced. A major problem associated with a large amount of information at the interface is the complexity of interconnections between components. Most work addressing this kind of complexity has concentrated on visually improving the graph of connections by redrawing it according to desirable graph aesthetics. Many aesthetics have been suggested: minimizing edge crossings, area, the sum of the edge lengths, trying to keep edges at the same length, minimizing bends and reducing jagged edges[19, 22−24] . Different

414

International Journal of Automation and Computing 04(4), October 2007

aesthetics conflict with one another, for example a redrawing that minimizes edge crossings would, in general, increase edge lengths. The difficulty is that all these approaches aim to reproduce the same abstract graph albeit in a different planar drawing. We offer an alternative, namely that of simplifying the graph by actually reducing the number of edges. This means that a different abstract graph, which is a subgraph of the original graph, is displayed. In this case, a subgraph aesthetic is required, to ensure that a useful graphical representation of the system is maintained. This paper is organized as follows. Section 2 contains a description of how finite state machines are used to specify components, situations of components being in certain states, and system and human operator behavior affecting the state of components. A temporal logic expression for checking for component dependence is formulated. In Section 3, a graph definition is given for the class of process control systems for which interface reduction is proposed in this paper. Aesthetics are given for the subgraph of the original process control system graph that should be drawn corresponding to a reduced set of components. A case study applying the techniques of Sections 2 and 3 to a scaled-up version of a real-life system is given in Section 4. The conclusions are drawn in Section 5.

2 2.1

Interface reduction Components and situations

The system is modeled from the point of view of a single operator who we shall refer to as the master operator. We assume that the master operator sees the system at the interface as a finite set of components of which C1, · · · , Cm are the components that are changed by other operators but not the master operator, but whose state influences the actions of the master operator. It is the set of these components that we will subset and we do not consider the components that the master operator may actually change, all of which have to appear at the interface. The master operator is interested in finitely many situations of the state of C1, · · · , Cm. These situations are given as formulae in propositional logic s1, · · · , sn, asserting relationships between propositional variables denoting the states of the components C1, · · ·, Cm. We will use “!”, “&”, “|”, “→”, and “↔” to denote the logical operators “not”, “and”, “or”, “implies”, and “if and only if” respectively. For example, if C1, · · · , Cm are valves with binary states either 0 or 1, the situation sj which describes all valves being off is given by sj ≡!C1&· · ·&!Cm.

2.2

(1)

System and operator behavior

The system behavior is modeled as a finite state machine (FSM) in a way suitable for analysis by the model checker, a new symbolic model verifier (NuSMV)[19] , and similar to other models of process control systems[16] . For simplic-

ity, components are assumed to have a single Boolean variable state. Other, existing, formal models of process control plants can deal with finitely many ranges for numerical states of components. These could be modeled here by associating several Boolean variables with each component. It is possible to modify our method of analysis, given in Section 2.3 below, in a straightforward manner to take account of this. However, the amount of interface reduction may depend on the choice of ranges for numerical states of components. Further study is required to determine how the best reductions are achieved in such cases. In order to describe the effect of the system and other operators acting on components C1, · · ·, Cm, we introduce additional propositional variables oprtC1, · · ·, oprtCm which signify an automated system or human operator action about to take place on that component. At any instant an operator may perform actions on any subset of components. If oprtCi is true, that just means that Ci is one of the components on which the operator is performing an action, but oprtCi in itself does not specify the nature of the action. As far as the master operator is concerned, technically, a system state comprises states for all components as well as the states for these additional Ci giving information on the components on which an action is being performed. The behavior of the overall system observed by the master operator is described as a system finite state machine (Q, init, trans and val) where 1) Q is a finite set of system states; 2) init ∈ Q is an initial state; 3) trans is a transition relation between states in Q; 4) val labels each q in Q with values for C1, · · ·, Cm and oprtC1, · · ·, oprtCm giving a state of the system. We assume that at any instant other (system or human) operators perform actions, each on a subset of components of {C1, · · ·, Cm}, possibly based on human judgment influenced by the state of components. From the point of view of the master operator, the subset of components being operated is a non-deterministic choice from finitely many alternatives. For this reason, the changes to the system state are represented by a relation trans modeling non-deterministic transitions of state.

2.3

Component dependence

The objective is to find a minimal amount of information needed to determine when a situation sj(1 ≤ j ≤ n) holds in sequences of states generated by the FSM (Q, init, trans and val) for possible behaviors of the system and operators. We say that a subset of components {Ci1, · · ·, Cil} ⊆ {C1, · · ·, Cm} provides full information regarding the situation sj if, given (Boolean) values vi1, · · ·, vil for Ci1, · · ·, Cil respectively and that sj is true at some system state q ∈ Q for those values for Ci1, · · · , Cil, it is impossible to have sj false for those same values of Ci1, · · ·, Cil, at some other system state q 0 ∈ Q. This is a kind of functional dependence of sj on Ci1, · · ·, Cil familiar from database theory[25] , but where the functional dependence is inferred from the be-

W. Hussak and S. H. Yang/ Formal Reduction of Interfaces to Large-scale Process Control Systems

havior of the system and human operators as defined by the system FSM. To prove this for a given {Ci1, · · ·, Cil}, Boolean values vi1, · · · , vil, and situation sj, we shall use the temporal logic computation tree logic (CTL)[18] in the following way. The system FSM (Q, init, trans and val) unwinds into an infinite tree of possible computation paths rooted at the initial state init. A CTL formula of the form EF prop

(2)

is true if and only if the formula prop is true at some state along some computation path, in which the path quantifier E specifies some path from the current state while F specifies the future operator. Therefore, {Ci1, · · ·, Cil} provides full information precisely if !((EF (sj&f ))&(EF (!sj&f )))

(3)

holds for all Boolean values vi1, · · · , vil and situations sj, where f ≡ ((Ci1 = vi1)&· · ·&(Cil = vil)). (4) Equation (3) is exactly the condition that, given values vi1, · · · , vil for Ci1, · · · , Cil respectively, sj cannot be true at some state q ∈ Q (which lies along some computation path emanating from init) whilst sj is false at some other state q 0 ∈ Q (which lies along some possibly different computation path emanating from init). Note that, if {Ci1, · · · , Cil} does provide full information for all the sj(1 ≤ j ≤ n), then any sj can be monitored by Ci1, · · · , Cil, because then the Boolean values for Ci1, · · · , Cil: {(vi1, · · · , vil) : (Ci1 = vi1)& · · · &(Cil = vil)&sj is true at some q ∈ Q}

(5)

are precisely the Boolean values vi1, · · · , vil for Ci1, · · · , Cil for which sj is true in any state q ∈ Q, as (3) rules out the possibility that sj could be true and false for the same vi1, · · · , vil for f at different states anywhere in Q. Equation (3) can be proved for all Boolean values vi1, · · · , vil for f as at (4) by using further additional variables with arbitrary initial values which are then fixed over all states in computation paths in an extended FSM, and proving (3) with respect to that extended FSM. This will be demonstrated in the case study in Section 4.

2.4

Minimal component sets

We need to find minimal subsets {Ci1, · · ·, Cil} ⊆ {C1, · · ·, Cm} giving full information about all sj, i.e., subsets of minimum cardinality for which (3) holds for 1 ≤ j ≤ n denoted as F I({Ci1, · · ·, Cil}). The following algorithm generates all such minimal subsets. Algorithm. generate minimal sets msets = ; for l = 1 to m do if msets= then for {Ci1, · · ·, Cil} ⊆ {C1, · · ·, Cm} do

415

if F I({Ci1, · · ·, Cil}) then msets = append({Ci1, · · ·, Cil}, msets) end if end for end if end for end algorithm

The algorithm maintains a list msets of subsets {Ci1, · · ·, Cil} of minimum cardinality giving full information about all sj. At each level of cardinality l, it loops through all subsets {Ci1, · · ·, Cil} each time invoking a temporal logic model checker to test if the conjunction of (3) over all sj holds (F I({Ci1, · · ·, Cil} is true) for all behaviors of the FSM. If that is the case, {Ci1, · · ·, Cil} is added to the list msets. The algorithm terminates at the level of cardinality l successfully appending to msets. The algorithm is exponential in the number of components m. This does not present a problem in cases of control systems that are composed of identical subsystems with a small number of components. Any reduction in each of the small subsystems scales up to a significant reduction in the overall system. The case study in Section 4 is of such a scaled-up system.

3

Reduced interface display

Once it has been determined that a subset of components gives full information on the state of the whole process plant with respect to the situations of interest, the matter of drawing the reduced interface needs to be considered. We define a “subgraph aesthetic” for the connections between components to be displayed in the reduced interface. Firstly, we need to give a graph definition of the restricted class of process control plants that we are dealing with. In a more general class, reactors could be connected to further components. Definition 1. A process-control plant graph (pp-graph) is a 6-tuple (T , R, C, J, E and P ) where 1) T is a set of tank nodes; 2) R is a set of reactor nodes; 3) C is a set of component labels; 4) J is a set of junction nodes; 5) E is a set of directed edges between nodes in T ∪ R ∪ J, each possibly labeled by some c ∈ C; 6) P is a set of paths of edges each starting at a tank node and finishing at a reactor node after passing through several junction nodes and such that all edges e ∈ E lie on some path p ∈ P . Intuitively, a process control plant comprises tanks containing raw material which flows through sections of pipes (corresponding to edges), along which there may be components (labeling edges as in 5) of Definition 1 such as valves,

416

International Journal of Automation and Computing 04(4), October 2007

motors, or other operating units, arriving at a reactor where the product is produced. The junction nodes may be physical, in the case where two sections of the pipe meet, or logical, in order to partition sections of the straight pipe containing several components, so that not more than one component lies between two junction nodes. It may seem more natural to represent components by nodes. The reason that the representation given here is chosen is that it simplifies the mathematical description of the reduced system subgraph given in Definition 2 below. Note that the component labels of edges need not represent actual components, but could represent variables such as, for example, the flow rate along a pipe. Fig. 1 gives an example of a pp-graph. There, T = {t1, t2}, R = {r1, r2}, C = {c1, · · ·, c16}, J = {j1, · · ·, j8} and P is the set of all paths t → ji1· · ·jik → r, where t ∈ T , r ∈ R and ji1, · · ·, jik ∈ J. The basic problem is to define which subgraph of the pp-graph to display corresponding to a reduced subset of components Cred ⊆ C. An obvious candidate is the subgraph containing just the edges belonging to Cred. Suppose that the reduced set Cred = {c1, c3, c9, c11, c14} has been produced for the system of the pp-graph in Fig. 1. The subgraph with edges in Cred is shown in Fig. 2. The benefits of a graphical representation of the system have been lost. It is not clear from Fig. 2 whether c9 or c14 is the first component on the only route from t2 to r2. A graph aesthetic is needed but, unlike existing graph aesthetics[2] that are concerned with redrawing the same graph, we need an aesthetic for drawing a subgraph containing a specified subset of edges and maybe others, a kind of “subgraph aesthetic”. The subgraph aesthetic we give is practically motivated by the case of process control plants. We require that the subgraph corresponding to a reduced set of components, is the process control plant graph maintaining the structure of the original process control plant in the following sense: any edge labeled by c ∈ Cred should lie on a path in the reduced pp-graph, that was a path in the original pp-graph. One advantage of this aesthetic is that an operator needing to find the state of a component (edge) in the reduced set, between a particular tank and reactor, can trace that edge by following edges either from the tank or the reactor. The formal definition is as follows.

Fig. 2

Subset of component edges subgraph

Definition 2. Given a reduced set of components Cred ⊆ C of a pp-graph P P G = (T, R, C, J, E, P ), a reduced subgraph with respect to Cred is a pp-graph P P G0 =(T 0 , R0 , C 0 , J 0 , E 0 , P 0 ) satisfying: 1) T 0 = T , R0 = R, C 0 = Cred; 2) J 0 ⊆ J, E 0 ⊆ E, P ⊆ P 0 ; 3) if e ∈ E is labeled by some c ∈ Cred, then e ∈ E 0 ; 4) if e ∈ E 0 and e was labeled by c ∈ C not belonging to Cred in P P G, then e has no label in P P G0 ; 5) every edge e ∈ E 0 labeled by some c ∈ Cred, lies on some path from T 0 to P 0 in P P G0 ; 6) T 0 , R0 , C 0 , J 0 , E 0 and P 0 are chosen to satisfy 1)–5) such that E 0 is of minimum cardinality. Without condition 6) of Definition 2, P P G0 could just be the original graph P P G0 with the labels of components in C but not Cred erased from edges. With condition 6), actual edges will be deleted, reducing edge crossings which can cause confusion, yet retaining the intuitive process plant appeal. The reduced subgraph of the system in Fig. 1 with respect to Cred = {c1, c3, c9, c11, c14} is shown in Fig. 3.

Fig. 3

Fig. 1

A pp-graph for a process plant

Reduced subgraph

An algorithm to generate all reduced subgraphs is possible as pp-graphs are finite. We do not give a general algorithm for doing this in this paper. In the case study in Section 4, it suffices to find a visually appealing reduced subgraph informally to illustrate the reduction that can be achieved.

W. Hussak and S. H. Yang/ Formal Reduction of Interfaces to Large-scale Process Control Systems

4

Case study

The case study is a scaled-up version of a transferring system such as the penicillin process given in [16]. The system comprises three transferring subsystems Unit(123), Unit(231) and Unit(312) where unit Unit(xyz) consists of two solvent tanks (Tankx, Tanky), two reactors (Reactorx, Reactorz), two external pumps (mAx, mBy), four Ellis locks (VAx, VBy, VCxy, VDyx) at various stages of piping between tank and reactor, and two control valves (vAx, vBy), as shown in Fig. 4. Each tank holds a solvent until it is ready to be transferred to a reactor at the start of a new batch process. There are four human operators: a unit operator assigned to operate the components VAx, VBy, VCxy, VDyx, mAx, mBy, vAx, and vBy of each Unit(xyz), and a master operator assigned to operate the filling of tanks F1, F2, F3 and observe the temperatures temp1, temp2, and temp3 in the reactors. The interface presented to the unit operators is as in Fig. 4, and the initial interface for the master operator is shown in Fig. 5. The master operator performs actions on tanks, adjusting F1, F2, and F3, and reactors, adjusting temp1, temp2, temp3, based on their current state and on knowledge of whether any of the following situations of open routes between tank and reactor in Unit(xyz) holds (refer to Fig. 4):

417

non-deterministic. It follows that the same reduction will be achieved for each unit.

Fig. 4

Unit(xyz) master operator interface

s1. Route VAx, mAx, vAx is the only open route; s2. Route VAx, VCxy, mBy, vBy is the only open route; s3. Route VBy, mBy, vBy is the only open route; s4. Route VBy, mBy, VDyx, vAx is the only open route; s5. Routes VAx, mAx, vAx and VBy, mBy, vBy are the only open routes. The master operator performs an action on a tank or reactor based on the state of all units which are displayed together in a graphical interface. It is reasonable that although the master operator0 s actions are influenced by the situations s1–s5 occurring, the actions require further human judgment that cannot be automated. As regards the unit operators, we assume that they perform actions on the components in their unit only and that these actions also require human judgment that cannot be automated and are, as such, non-deterministic from the point of view of the master operator. However, even though these actions are non-deterministic, they are not completely arbitrary and are limited by the system to prevent unsafe or malicious conduct. From the point of view of the master operator, the actions are a non-deterministic choice between several actions (discussed below) of opening and closing various routes between tanks and reactors. We reduce the interface for the master operator using the techniques of Sections 2 and 3 by subsetting the set of components {VAx, VBy, VCxy, VDyx, mAx, mBy, vAx, vBy} from Unit(xyz). Even though the unit operators may judge similar situations differently, this cannot be specified and so the unit operators0 actions are assumed to be equally

Fig. 5

Master operator initial interface

The behavior of the overall system observed by the master operator is specified as a finite state machine in the input language of NuSMV[19] in Appendix. Here, we give a description of the specification and the results obtained from generating reduced interfaces. Keywords have the following meanings • MODULE : Either the main module or a subroutine. • VAR : Define variables, mostly components. • DEFINE : Name expressions for conciseness. • SPEC : Specify a proof obligation in CTL. • ASSIGN : Define transition relations for variables.

418

International Journal of Automation and Computing 04(4), October 2007

• init : Define initial conditions of the variables.

4.4

• next : Define a relationship between values of variables in a particular state and its successor state.

The algorithm of Section 2.4 requires that NuSMV is run for f (see the definition of F I there) corresponding to increasing subsets of components until there are subsets of some cardinality providing full information about s1–s5. In the case study this results in 162 calls to NuSMV. The case of f corresponding to the subset {VA, VB, vA, vB} is shown in lines 30–33 of Appendix. The minimal subsets providing full information were found to be: {VA, VB, VC, vB}, {VA, VB, VD, vA}, {VA, VB, vA, vB}, {VA, VB, m1, vB}. The results show that the state of at most one of the Ellis locks VC and VD is sufficient for detecting the situations s1–s5. Notice that the minimal subsets are not symmetric with respect to category A and B components in every case. This reflects the asymmetry of category A and category B components in a unit. The solution {VA,VB, vA, vB} may be the preferred reduced subset because of its symmetry.

• TRANS : Allow a transition relation to be specified as a relation between state and successor state of multiple variables. • - - : Indicate a comment. The three units are declared (lines 7–9 of Appendix) to be of the Unit(xyz) module type (lines 46–167 of Appendix).

4.1

Components and situations

The components in Unit(xyz) are declared VA, VB, VC, VD, mA, mB, vA, and vB in lines 48–51 of Appendix where we have dropped the x and y for notational simplicity. The five situations s1–s5 above are specified as s1, s2, s3, s4, and s5 (lines 25–29 of Appendix) by means of routes r1, r2, r3 and r4 (lines 17–24 of Appendix) for the components in Unit(123). For example, route VA, mA, vA, being open corresponds to the Boolean expression Unit123.VA & Unit123.mA & Unit123.vA being true.

4.2

System and operator behavior

Variables oprtVA,· · · , oprtvB are declared in lines 53–56 of Appendix corresponding to the system or a human operator changing the system at the next point in time. Lines 61–84 of Appendix specify that the state of a component does not change otherwise. The changes that the system or human operator can make to the state of components are defined in the TRANS section (lines 86–167 of Appendix). They comprise either a human operator opening a route, or the system or a human operator closing a route. For example, the opening of route r1 (lines 88–100 of Appendix) either means the operator opening VA, mA, and vA (line 90 of Appendix) and closing VB, mB, vB, VC, and VD (lines 91, 92 of Appendix), or the operator opening VA, mA, and vA (line 95 of Appendix) and closing just VB, VC, and VD (line 96 of Appendix), or the operator opening VA, mA, and vA (line 99 of Appendix) and closing just VB, mB, and vB (line 100 of Appendix).

4.3

4.5

Minimal component sets

Example of reduced interface

We consider the case of the reduced subset {VA, VB, vB, vA} for each unit. As the units partition the paths from tanks to reactors, the reduced subgraph (Definition 2) of the process plant can be seen to be a merge of the reduced subgraphs for the respective units. For each unit, conditions 1)–5) of Definition 2 require that components in the set {VA, VB, vA, vB} appear on some path from tank to reactor, and condition 6) requires that the number of edges chosen to achieve this is minimized. Thus, the reduced subgraph for a unit is as shown in Fig. 6. The benefit of this reduction to a unit is seen in the reduced interface of the whole plant for the master operator shown in Fig. 7. The reduced interface has a 40% (12/30) reduction in displayed components and a 75% (12/16) reduction in edge crossings. This is achieved in a display that preserves the natural physical layout of the system.

Component dependence

By Section 2.3, finding minimal subsets of components giving full information about s1–s5 means proving (3) for all possible truth values for the components in the chosen subset and all of s1–s5. As mentioned there, this is achieved by incorporating additional variables corresponding to each component (lines 3–6 of Appendix) fixing their arbitrary initial values over time (lines 11–14 of Appendix) and instantiating a subset of components to these initial values (lines 30–33 of Appendix show the instantiation for the subset {VA,VB,vA,vB} for Unit(123)). (3) is coded in lines 38–42 of Appendix.

Fig. 6

Unit(xyz) master operator reduced interface

W. Hussak and S. H. Yang/ Formal Reduction of Interfaces to Large-scale Process Control Systems

Appendix

Fig. 7

5

Master operator reduced interface

Conclusions

The feasibility of any use of formal verification with largescale process control systems is limited by the state explosion problem, where the number of system states increases exponentially with the number of components. To overcome this problem with large-scale systems, the compositional nature of such systems can be used, so that model checking is only required of the smaller constituent parts of the system[26] . In the use of formal verification for interface reduction, we have demonstrated in the case study how, for a large system composed of identifiable smaller subsystems, performing formal verification to reduce the smaller subsystems individually can result in vastly reduced congestion in the graph of connections of the overall system interface. Thus, as with other uses of formal verification with large process control systems, exploiting compositional structure is an important consideration. There is, of course, a price to be paid for interface reduction. Although the interface can be greatly visually improved, the human operator has to be trained to recognize situations of importance from the smaller set of components displayed. For example, in the case study, the situation s2 that the route VA, VC, mB, vB is open is inferred from VA and vB being open and VB and vA being closed. The benefits of easing visual tasks should be set against the drawbacks of additional mental tasks. In practice, the final choice of reduced subset of components should be based on further empirical evidence as to which maximizes the efficiency of a suitably trained operator. The contribution of this paper has been a methodology for producing reduced subsets of components. This is the starting point for deciding how much actual reduction should take place.

1 MODULE main 2 VAR 3 VA: boolean; VB: boolean; 4 VC: boolean; VD: boolean; 5 mA: boolean; mB: boolean; 6 vA: boolean; vB: boolean; 7 Unit123: Unitxyz; 8 Unit231: Unitxyz; 9 Unit312: Unitxyz; 10 ASSIGN 11 next(VA):=VA; next(VB):=VB; 12 next(VC):=VC; next(VD):=VD; 13 next(mA):=mA; next(mB):=mB; 14 next(vA):=vA; next(vB):=vB; 15 DEFINE 16 - - situations 17 r1: = Unit123.VA & Unit123.mA & 18 Unit123.vA; 19 r2 := Unit123.VA & Unit123.VC & 20 Unit123.mB & Unit123.vB; 21 r3:= Unit123.VB & Unit123.mB & 22 Unit123.vB; 23 r4: = Unit123.VB & Unit123.mB & 24 Unit123.VD & Unit123.vA; 25 s1 := r1 & !r2 & !r3 & !r4; 26 s2 := !r1 & r2 & !r3 & !r4; 27 s3 := !r1 & !r2 & r3 & !r4; 28 s4 := !r1 & !r2 & !r3 & r4; 29 s5 := r1 & !r2 & r3 & !r4; 30 f := ((Unit123.VA< − >VA) & 31 (Unit123.VB< − >VB) & 32 (Unit123.vA< − >vA) & 33 (Unit123.vB< − >vB)); 34 35 36 SPEC 37 38 !( (EF(s1&f)) & (EF(!s1&f)) ) & 39 !( (EF(s2&f)) & (EF(!s2&f)) ) & 40 !( (EF(s3&f)) & (EF(!s3&f)) ) & 41 !( (EF(s4&f)) & (EF(!s4&f)) ) & 42 !( (EF(s5&f)) & (EF(!s5&f)) ) 43 44 45 46 MODULE Unitxyz 47 VAR 48 VA: boolean; VB: boolean; 49 VC: boolean; VD: boolean; 50 mA: boolean; mB: boolean; 51 vA: boolean; vB: boolean; 52 - - system or operator intervention 53 oprtVA: boolean; oprtVB: boolean; 54 oprtVC: boolean; oprtVD: boolean; 55 oprtmA: boolean; oprtmB: boolean; 56 oprtvA: boolean; oprtvB: boolean; 57 DEFINE 58 oprt := oprtVA | oprtVB | oprtVC | 59 oprtVD | oprtmA | oprtmB | 60 oprtvA | oprtvB; 61 ASSIGN 62 init(VA) :=0; 63 next(VA) := case !oprtVA:{VA}; 64 1:{0,1}; esac; 65 init(VB) :=0;

419

420 66 next(VB) := case !oprtVB:{VB}; 67 1:{0,1}; esac; 68 init(VC) :=0; 69 next(VC) := case !oprtVC:{VC}; 70 1:{0,1}; esac; 71 init(VD) :=0; 72 next(VD) := case !oprtVD:{VD}; 73 1:{0,1}; esac; 74 init(mA) :=0; 75 next(mA) := case !oprtmA:{mA}; 76 1:{0,1}; esac; 77 init(mB) :=0; 78 next(mB) := case !oprtmB:{mB}; 79 1:{0,1}; esac; 80 init(vA):=0; 81 next(vA) := case !oprtvA:{vA}; 82 1:{0,1}; esac; 83 init(vB):=0; 84 next(vB) := case !oprtvB:{vB}; 85 1:{0,1}; esac; 86 TRANS 87 - - human operator opening up route 1 88 oprtVA & oprtmA & oprtvA & oprtVB & 89 oprtmB & oprtvB & oprtVC & oprtVD & 90 next(VA) & next(mA) & next(vA) & 91 !next(VB) & !next(mB) & !next(vB) & 92 !next(VC) & !next(VD) | 93 oprtVA & oprtmA & oprtvA & oprtVB & 94 !oprtmB & !oprtvB & oprtVC & oprtVD & 95 next(VA) & next(mA) & next(vA) & 96 !next(VB) & !next(VC) & !next(VD) | 97 oprtVA & oprtmA & oprtvA & oprtVB & 98 oprtmB & oprtvB & !oprtVC & !oprtVD & 99 next(VA) & next(mA) & next(vA) & 100 !next(VB) & !next(mB) & !next(vB) | 101 - - closing route 1 102 VA & mA & vA & 103 oprtVA & oprtmA & oprtvA & !oprtVB & 104 !oprtmB & !oprtvB & !oprtVC & !oprtVD 105 & !next(VA) & !next(mA) & !next(vA) | 106 - - human operator opening up route 2 107 oprtVA & oprtmA & oprtvA & oprtVB & 108 oprtmB & oprtvB & oprtVC & oprtVD & 109 next(VA) & !next(mA) & !next(vA) & 110 !next(VB) & next(mB) & next(vB) & 111 next(VC) & !next(VD) | 112 oprtVA & oprtmA & oprtvA & oprtVB & 113 oprtmB & oprtvB & oprtVC & !oprtVD & 114 next(VA) & !next(mA) & !next(vA) & 115 !next(VB) & next(mB) & next(vB) & 116 next(VC) | 117 - - closing route 2 118 VA & mB & vB & VC & 119 oprtVA & !oprtmA & !oprtvA & !oprtVB & 120 oprtmB & oprtvB & oprtVC & !oprtVD & 121 !next(VA) & !next(mB) & !next(vB) & 122 !next(VC) | 123 - - human operator opening up route 3 124 oprtVA & oprtmA & oprtvA & oprtVB & 125 oprtmB & oprtvB & oprtVC & oprtVD & 126 !next(VA) & !next(mA) & !next(vA) & 127 next(VB) & next(mB) & next(vB) & 128 !next(VC) & !next(VD) | 129 oprtVA & !oprtmA & !oprtvA & oprtVB & 130 oprtmB & oprtvB & oprtVC & oprtVD & 131 !next(VA) & next(VB) & next(mB) & 132 next(vB) & !next(VC) & !next(VD) |

International Journal of Automation and Computing 04(4), October 2007 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167

oprtVA & oprtmA & oprtvA & oprtVB & oprtmB & oprtvB & !oprtVC & !oprtVD & !next(VA) & !next(mA) & !next(vA) & next(VB) & next(mB) & next(vB) | closing route 3 VB & mB & vB & !oprtVA & !oprtmA & !oprtvA & oprtVB & oprtmB & oprtvB & !oprtVC & !oprtVD & !next(VB) & !next(mB) & !next(vB) | - - human operator opening up route 4 oprtVA & oprtmA & oprtvA & oprtVB & oprtmB & oprtvB & oprtVC & oprtVD & !next(VA) & !next(mA) & next(vA) & next(VB) & next(mB) & !next(vB) & !next(VC) & next(VD) | oprtVA & oprtmA & oprtvA & oprtVB & oprtmB & oprtvB & !oprtVC & oprtVD & !next(VA) & !next(mA) & next(vA) & next(VB) & next(mB) & !next(vB) & next(VD) | - - closing route 4 vA & VB & mB & VD & !oprtVA & !oprtmA & oprtvA & oprtVB & oprtmB & !oprtvB & !oprtVC & oprtVD & !next(vA) & !next(VB) & !next(mB) & !next(VD) | - - opening up routes 1 and 3 oprtVA & oprtmA & oprtvA & oprtVB & oprtmB & oprtvB & oprtVC & oprtVD & next(VA) & next(mA) & next(vA) & next(VB) & next(mB) & next(vB) & !next(VC) & !next(VD) | - - operator inaction !oprt

References [1] L. Bainbridge. Ironies of Automation. New Technology and Human Error, J. Rasmussen, K. Duncan, J. Leplat (ed.), J. Wiley and Sons, New York, pp. 271–283, 1987. [2] J. M. Hoc. Analysis of Cognitive Activities in Process Control for the Design of Computer Aids – An Example the Control of a Blast Furnace. In Proceedings of Interact0 87 – 2nd IFIP International Conference on Human-computer Interaction, H. J. Bullinger, B. Shackel (eds.), Stuttgart, Germany, pp. 257-262, 1987. [3] M. D. Harrison, C. R. Roast, P. C. Wright. Complimentary Methods for the Iterative Design of Interactive Systems. In Proceedings of the 3rd International Conference on Human-computer Interaction on Designing and Using Human-computer Interfaces and Knowledge based Systems (2nd ed.), G. Salvendy, M. J. Smith (eds.), Elsevier Scientific, North Holland, pp. 651–658, 1989. [4] C. W. Johnson. A Principled Approach to the Integration of Human Factors and Systems Engineering for Interactive Control System Design, University of York, USA, 1992. [5] C. W. Johnson, M. D. Harrison. PRELOG – A System for Presenting and Rendering Logic Specifications of Interactive Systems. In Proceedings of Eurographics, C. E. Vandoni, D. A. Duce (eds.), Montreux, Switzerland, pp. 469– 480, 1990. [6] A. J. Dix, Chapter 2. Formal methods. Perspectives on HCI: Diverse Approaches, A. Monk, N. Gilbert (eds.), Academic Press, London, pp. 9–43, 1995.

W. Hussak and S. H. Yang/ Formal Reduction of Interfaces to Large-scale Process Control Systems [7] M. D. Harrison, H. W. Thimbleby. Formal Methods in Human Computer Interaction, Cambridge University, UK, 1990. [8] E. Brinksma, A. Madar. Verification and Optimization of a PLC Control Schedule. In Proceedings of 7th International SPIN Workshop, Lecture Notes in Computer Science, Springer, Stanford, CA, USA, vol. 1885, pp. 73–92, 2000. [9] R. Huuck, B. Lukoschus. Verifying Untimed and Timed Aspects of the Experimental Batch Plant. European Journal of Control, vol. 7, no. 4, pp. 400–415, 2001. [10] J. Kim, I. Moon. Synthesis of Safe Operating Procedure for Multi-purpose Batch Process Using SMV. Computers and Chemical Engineering, vol. 24, no. 2, pp. 385–392, 2000. [11] K. Lano, J. Bicarregui, P. Kan. Experiences of Using Formal Methods for Chemical Process Control Specification. Control Engineering Practice, vol. 8, no. 1, pp. 71–79, 2000. [12] I. Moon, G. J. Powers, J. R. Burch, E. M. Clarke. Automatic Verification of Sequential Control Systems Using Temporal Logic. AIChE Journal, vol. 38, no. 1, pp. 67–75, 1992. [13] T. Park, P. I. Barton. Implicit Model Checking of Logic Based Control Systems. AIChE Journal, vol. 43, no. 9, pp. 2246–2260, 1997. [14] S. T. Probst, G. J. Powers, D. E. Long, I. Moon. Verification of a Logically Controlled Solids Transport System Using Symbolic Model Checking. Computers and Chemical Engineering, vol. 21, no. 4, pp. 417–429, 1997. [15] S. H. Yang, P. W. H. Chung. Automatic Safety Verification of Control Logic Using Symbolic Verifier. In Proceedings of the Chinese Automation Conference, Pacilantic International Ltd, Derby, England, pp. 227–232, 1999. [16] S. H. Yang, L. S. Tan, C. H. He. Automatic Verification of Safety Interlock Systems for Industrial Processes. Journal of Loss Prevention in the Process Industries, vol. 14, no. 5, pp. 379–386, 2001. [17] S. H. Yang, O. Stursberg, P. W. H. Chung, S. Kowalewski. Automatic Safety Analysis of Computer-controlled Plants. Computers and Chemical Engineering, vol. 25, no. 4-6, pp. 913–922, 2001. [18] M. Ben-Ari, Z. Manna, A. Pnueli. The Temporal Logic of Branching Time. Acta Informatica, vol. 20, no. 3, pp. 207– 226, 1983. [19] A. Cimatti, E. Clarke, F. Giunchiglia, M. Roveri. NuSMV: A New Symbolic Model Verifier. In Proceedings of 11th Conference on Conputer-aided Verification, Lecture Notes in Computer Science, Springer, Trento, Italy, vol. 1633, pp. 495–499, 1999. [20] G. J. Holzmann. The SPIN Model Checker, AddisonWesley, Boston, USA, 2003. [21] S. Yovine. Kronos: A Verification Tool for Real-time Systems. International Journal of Software Tools for Technology Transfer, vol. 1, no. 1-2, pp. 123–133, 1997. [22] G. D. Battista, P. Eades, R. Tamassia, I. G. Tollis. Graph Drawing: Algorithms for the Visualization of Graphs, Prentice-Hall, New Jersey, 1999.

421

[23] D. J. Field, A. Hayes, F. R. Hess. Contour Integration by the Human Visual System: Evidence for a Local Association Field. Vision Research, vol. 33, no. 2, pp. 173–193, 1993. [24] H. Purchase. Which Aesthetic Has the Greatest Effect on Human Understanding. In Proceedings of Graph Drawing Symposium, Lecture Notes in Computer Science, G. B. Di (ed.), Springer-Verlag, Heidelberg, Germany, vol. 1353, pp. 284-290, 1997. [25] C. J. Date. An Introduction to Database Systems, 8th Edition, Addison-Wesley, Boston, USA, 2004. [26] B. Lukoschus. Compositional Verification of Industrial Control Systems, Ph.D. dissertation, Institute of Computer Science and Applied Mathematics, University of Kiel, Germany, 2005.

Walter Hussak graduated in mathematics, obtaining the B.Sc. degree in 1979 and the Ph.D. degree in 1983 from Sheffield University. After that he worked as a programmer and studied part-time for an M.Sc. in systems design at Manchester University, awarded in 1987, specializing in formal methods. He joined Manchester University as a research associate before he was appointed to his first university full academic post as a lecturer in computer science at Loughborough University in 1991. He has published several papers at international conferences and in journals, on uses of formal methods in the design and implementation of large-scale systems. Overall he has published six refereed journal and seven conference papers in applied formal methods. His research interests include logic, formal methods, Database concurrency, and graph theory. Shuang-Hua Yang received his Ph.D. degree in control engineering from Zhejiang University in 1991. He is currently a professor of networks and control in computer science and the director of the Networks and Control Research Group at Loughborough University in the UK. He is also an overseas guest professor at Central China Normal University, Huazhong University of Science and Technology, China University of Petroleum, and Liaoning University of Petroleum and Technology. He is a member of the EPSRC peer review college in the UK. He is also a fellow of the Institute of Measurement and Control, the chairman of the East Midlands Section of the Institute, and a chartered engineer (CEng) in the UK. He is a senior member of IEEE. He serves as an associate editor of International Journal of Systems Science and the International Journal of Process Systems Engineering, and a member of the editorial advisory board of International Journal of Information and Computer Security and Journal of the Institute of Measurement and Control. His research interests include wireless sensor networks, networked control, safety critical systems, and real time software maintenance.