Figure 1 shows the steps to be proceeded from system and ... synthesis algorithms that avoid the computation of the whole reachability space. The distributed ...
H.-C. Lapp, D. Missal and H.-M. Hanisch Martin Luther University of Halle-Wittenberg, Germany
FORMAL SYNTHESIS APPROACH FOR DISTRIBUTED PROCESS CONTROL Abstract Earlier works on synthesis in the authors working group dealt with synthesis of distributed safety controllers. An approach for synthesis of distributed process control is proposed in this contribution. Due to the characteristics of process control, structural properties of the formal model, representing plant, and a formal specification of system behavior are the base for the synthesis process. An existing approach using these structural properties is extended regarding the specifics of process control. Safe Net Condition/Event Systems are used for formal modeling.
1. Introduction The common goal of any synthesis method is to generate a controller model automatically. The formal synthesis is a procedure proven to be correct to generate a control model based on a formal plant model and a formal specification of intended and/or forbidden system behavior. Figure 1 shows the steps to be proceeded from system and specification descriptions to correct controller code. The approaches for control and supervisor synthesis differ in the used behavior models as well as in the control structure. The complexity is generally a problem of synthesis algorithms, especially if an explicit state description is used. That holds Figure 1. Synthesis procedure. also for the use of reachability analysis in implicit state description models which has to be avoided therefore. Hence, we combine the implicit system model of Net Condition/Event Systems (NCES) with synthesis algorithms that avoid the computation of the whole reachability space. The distributed controllers with communication ([1], [2], [3]) can interchange local observations or variables defining local states ([4], [5]). We synthesize distributed controllers with communication of state information. Hereby, the main focus of this contribution is in synthesis of process control. Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 1
Earlier works of our research group regarding control synthesis were progressing from a monolithic synthesis approach [14] to a modular one for distributed synthesis of safety controllers [11]. This contribution deals with synthesis of distributed process control, which builds on these earlier research results. A characteristic of process control are recurring operation sequences of the plant behavior. These operation sequences are reflected in sequential specifications describing one production cycle and terminating in the initial state. The plant elements themselves are naturally modeled to be reversible. This leads to model structures containing invariants. Using these invariants as starting point for the synthesis approach is the main matter of this contribution. Therefore the basis of structural analysis methods on Net Condition/Event Systems is extended regarding the special signal arcs of NCES. The potential of using invariants on Petri net parts (underlying Petri nets) of a NCES is discussed in [6]. Starting from this point the proposed approach tries to find controllable and specification-compliant trajectories through the state space of the formal plant model without performing a complete reachability analysis. But not only the synthesis approach differs from the one introduced in [11], also the specification does. In this contribution the specification is about the desired behavior of the plant and/or the desired changes of workpiece properties during manufacturing. Specifying undesired states or state transitions, like for safety controller synthesis in [11], is still possible. After the characterization of the model including its structural analysis, the plant modeling and used specification are discussed. The synthesis approach is presented in the next section. The contribution is closed by a conclusion.
2. The Model ) models, specifications in terms of Safe Net Condition/Event System ( and state predicates are used for the synthesis approaches presented in the provides structural advantages during the following. The modeling with modeling process as well as for the consecutive synthesis. Manufacturing systems are mostly assembled of repetitively used elements. The complexity of a system often only depends on the number of such elements. Systems can be modeled as composition of their basic elements using the real modularity and hierarchical composition enabled by models. The model offers a natural way to model a possibly large system behavior by combining models of the behavior of the physical elements. 2.1 Model Syntax and Semantics A is a sub-class of introduced in [7]. The definition is restricted on a one-bounded net configuration and is called safe therefore. Within the model, two kinds of modules are defined. The first are basic modules. A safe Net Condition/Event Module ( ) is a tuple: Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 2
where
is the set of places, is the set of transitions, is a set of (ordinary) arcs, is a set of condition is a set of event signals, is the set of condition inputs, is signals, is the set of condition outputs, is the set of event the set of event inputs, is the set of condition input arcs, is the outputs, is the set of condition output arcs, set of event input arcs, is the set of event output arcs, is the event is the initial marking. mode for every transition, EN is cycle free, i.e.:
The event mode of a transition declares whether incoming event signals are combined in “OR” or “AND” mode. The conjunctive mode is default, and the corresponding symbols are omitted. Every transition without an incoming event signal is called trigger transition. Transitions with one or more incoming event signals are called forced transition. Thus, the event mode is meaningful only for forced transitions. The set of pre-transitions of a place p is shortly written as , . The sets of pre- and post-places the set of post-transitions is and of transition t are written as The set of event sources of an event sink transition t is written as and the set of event sinks of an event source t is . The second kind of modules is defined for hierarchical combination of (basic) modules and is called composite module. A safe Net Condition/Event System is defined as follows: 1. Every safe Net Condition/Event Module is a safe Net Condition/Event System. 2. Every tuple is a iff a. is a finite non empty set of safe Net Condition/Event Modules. Every is called submodule of for which applies . b.
is an I/O set.
Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 3
c.
describes the condition interconnection within
, for which furthermore applies.
d.
describes the event interconnection within
is called a composite module. If all submodules of is called basic system.
. It is supposed that
are basic modules, then
An input state is defined for the signal inputs and outputs of Modules as follows: is a mapping assigning a value The input state is of a of to each signal input. The semantics of is given in terms of steps. Steps are sets of transitions interconnected via event signals. An event signal synchronizes two transitions in one direction under the enabling conditions. Only the marking of places and the input state of a module are of interest for enabling of a transition and a step. A transition of a is: 1. Marking enabled at a marking m iff 2. Condition enabled at marking m and input state is iff and . A transition is marking enabled if all pre-places are marked and all post-places are unmarked. A transition is condition enabled if all places that are connected via condition arcs are marked and all connected condition inputs have the value one. With these terms we can define sets of event-interconnected transitions that are called steps in general and enabled steps in particular. with the marking m, the input state is and a non empty set Let M be a of transitions within M. Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 4
is a step iff , while for every transition
and holds:
with
or and all transitions are free of conflicts to each other. is the set of steps within M. is called enabled step under m and is iff is marking and condition enabled under m and is and there is no set of transitions with , which is also a step and marking and condition enabled under m and is. The defined enabled steps are always maximal steps and contain exactly one trigger transition. Conflict transitions must not be part of the same step. The effect of firing an enabled step on the marking of the net is defined as follows. Let M be a with the marking m and the input state is. If is an enabled step under m and is, then is enabled to fire. The successor marking is determined for to:
The semantic is defined for modules only, because composed system models (the system is transformed into one basic module) are analyzed in the following. The composition is formally defined in [8]. 2.2 Structural Analysis Structural property analysis allows some conclusions on the model behavior without explicit construction of all reachable markings. There is not much work on structural properties of NCES. Structural properties, known from Petri nets, are place and transition invariants (p- and t-invariants for short) [9]. The property of state invariants is introduced for Signal Net Systems (SNS) in [6]. A state invariant (shortened sinvariant) is a non-constant mapping defined on the set of all imaginable states which is constant on the set of all reachable states. Every (linear) state invariant of the underlying Petri net PN is a (linear) state invariant of M, respectively. That is because token flow within a is exclusively realized by the nodes of the underlying Petri net. The underlying Petri net is the set of a . Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 5
A t-invariant is described by a Parikh vector which gives a transition sequence. At the end of this sequence the same marking is achieved where the sequence starts from, the marking (state) is invariant. In other words, t-invariants are describing circles in the reachability graph. So, for synthesis procedure of process control, t-invariants are an important feature. P-invariants are state invariants independent of the initial marking of a model. Methods of p-invariant calculation known from Petri nets can be used to determine a subset of the state invariants of a . There is no method described for calculation of the whole set of state invariants without computing the whole reachable state space until now. The following method is also not able to solve that problem. Nevertheless, it adds a new subset of state invariants not covered by p-invariants. Unlike p- and t-invariants based on the underlying Petri net, the event synchronizations are structural properties explicitly based on signals, more precisely, event interconnections. An event signal synchronizes two transitions in one direction under the enabling conditions. That means that the event source forces the event sink to synchronously fire if both are enabled. The event sink cannot fire on its own or force the signal source. A set of pairs of transitions interconnected by event arcs can lead to state invariants not covered by place invariants. An example is shown in Figure 2. The reachable states are (p3,p4), (p2,p5) and (p1,p5). The example contains the two p- invariants m(p1)+m(p2)+m(p3) = 1 and m(p4)+m(p5) = 1. Further, we can see that m(p3)+m(p5) = 1 holds always true under the given initial marking. The place p5 influenced by the event sink transitions is called to be event synchronized with the place p3 surrounded by Figure 2. Example for event synchronized places. the source transitions. The additional state invariant m(p1)+m(p2)+m(p4) = 1 can be constructed by combination of p-invariants and event synchronization. A place is synchronized with a place if all transitions of the pre-region and of the post-region of both places are interconnected by event arcs and there are no additional condition arcs at the pre- and post-transitions of . The event interconnections have to to all the transitions surrounding . The token flow be directed from from and to has to be influenced only by the forced transitions. Let M be a with the initial marking . A place is event synchronized with a place if the following holds: Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 6
For two places
and
with an event synchronization of to holds: , if that holds for .
Synchronized places seem to be behaviorally redundant to model parts they are synchronized with, but the systematic and modular modeling as described in the next section, for example, leads to such structures. The determination of event synchronized places was described in [11]. The structural property of synchronicity can be used to speed up algorithms for analysis and improve applications of partial markings. I.e. in Figure 2 the two transition invariants {t3, t4} and {t5, t6} can be joined to a unique one {t3, t4, t5, t6}. More about extending transition invariants follows in Section 4.1.
3. Plant Modeling and Specification 3.1 Well-Structured Plant Modeling Detailed behavior models of the uncontrolled plant are used for controller synthesis on the shop-floor level. The plant behavior modeling is discussed more detailed in [10]. Some major modeling rules are given in the following. Models following those rules are called well-structured models. The plant models contain models of the behavior of every physical element, for example sensors, actuators (valves, electrical relays, etc), cylinders, drives and so on. The basic behavior model of every element is encapsulated within a basic module. Work piece properties are also modeled in basic modules. Such properties are physical properties of the processed workpiece and position information belonging to them. These basic modules are composed in different hierarchy levels and form units. The controllability of plant model elements is modeled by open signal inputs and their interconnections with transitions. Signal sink transitions of such interconnections are controllable. We only consider condition inputs for the addressed control type of this paper. The controllable transitions pre- and post-places are defined to be observable on two conditions. First, the places have only controllable transitions as pre- and posttransitions. Second, the controller's initialization ensures a plant state complying with the initial state of the plant model. The state of the controlled plant parts can be mapped to the controller output state if both conditions are satisfied. The set of controllable transitions is defined as . . The set of controlled places is defined as The sensors of a plant are naturally the observable part. The state of sensor models is modeled event synchronized to the associated plant state. The observable plant parts Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 7
are modeled by signal connections to open signal outputs. Following, such open condition outputs and associated interconnections are modeled for the places of sensor models. The set of observable places is defined as . Binary actuators and sensors are generally modeled by simple state machines controlled/observed by condition signal pairs interpreted as Boolean variables. The structural (hierarchical) aspect is important for further use of the model besides relevance for the behavior modeling process. The boundaries of units of the plant naturally follow the composition of the physical elements within the real plant. The plant units should consist of the physical elements forming a more or less independent functional unit. Mostly actuators, moving elements and sensors together form such units, as in the example of Figure 3. The unit module includes models of the work piece properties influenced by or influencing those physical elements. The structure of the model or its hierarchical composition, respectively, directly influences the synthesis result. The presented approach synthesizes one distributed controller for every unit.
Figure 3. Model cutout of a testing station (measuring unit, ejection unit)
3.2 Specification The specification for safety controllers, like it was presented in [11], consists of forbidden states (undesired behavior). In the case of process control, the specification is more complex. Here, the process behavior is specified by changes of the workpiece properties, in other words the transformations of the workpiece, during the manufacturing process. Workpiece properties are geometric properties, workpiece position, progress of workpiece processing, etc. For the synthesis approach, introduced in this contribution, partial orders over workpiece properties and workpiece positions are specified. This specification is given in terms of NCES and is connected via event arcs with the modeled workpiece properties in the plant model. This linking was also used in [12] and [13]. In other words, one can say that the specification is a coarse description of the activities within the plant represented in terms of NCES. A simple example is given in Figure 4. Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 8
Because synthesis of process control deals with cyclic processes the specification should be cyclic to. If it isn’t, additional components can be added to extend the specification to a cyclic one. For one of our demonstrators in laboratory scale, we got a complete specification in SysML. Currently an appropriate NCES specification is derived manually. But it is possible to automate this step if an unambiguous name assignment from SysML specification to NCES nodes is guaranteed. Next to the specification over workpiece properties additional ancillary conditions can be specified. These could be forbidden states or state transitions. In [11] the definition for forbidden states in terms of state predicates Figure 4. Example specification was given. For simplification, in the following cutout over workpiece position, a fact has the meaning of a forbidden state or according to Figure 3. place.
4. Synthesis Approach Based on structural properties of models of the uncontrolled plant behavior, a modeling of workpiece properties and a specification of desired system behavior, our synthesis approach for process controllers avoid the computation of the whole reachable state space. Instead, we extract specification-compliant and controllable trajectories through the plant behavior model’s state space. These trajectories are used to generate the process control. The formal synthesis of the control modules follows four steps: 1. Generate superset of trajectories realizing specification-compliant plant behavior 2. Determine specification fulfilling trajectories, using the results from foregone step to reduce complexity 3. Determine controllable and specification fulfilling trajectories based on results of foregone step (we try to find the shortest trajectories, further optimization is not a subject of the current research) 4. Distribution and code generation. 4.1 Specification-Compliant Behavior The specified process is cyclic. Therefore, only firing sequences (sequences of enabled steps) of steps satisfying transition invariants can comply with any process specification. The t-invariants for the Petri net parts of a can be calculated by determining the incidence matrix for the Petri net parts of the and solving the equation system . The calculated set of t-invariants is extended by back tracing the Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 9
event signal structures. Hereby, the following fact is useful to get candidates for specification fulfilling trajectories. Let be a transition in module M and a transition in Module N which is forced by via an event connection. only can be part of a feasible trajectory if is part of a t-invariant in Module M. Otherwise the t-invariant containing is not feasible. Hence, it is also no candidate for a specification-compliant trajectory. Remember, this approach requires isolated Petri net parts which are interconnected with signal arcs (event and condition arcs). Well-formed models, where each (basic) module contains only one Petri net component, are fulfilling this requirement. 4.2 Specification Fulfilling Trajectories The reduced and implicitly described candidate set, determined in the forgone step, is the base for the real synthesis. Regarding the calculated extended t-invariants and the specification, we start a partial reachability analysis at the initial marking . Thereby, “partial” means, that the analysis is only progressing along specification-compliant trajectories. As abort criterions we use the contrariety of a calculated step against a t-invariant or its extension (by event structures). A second abort criterion is given if a step fulfills an ancillary condition which was specified as a fact. The transitions causing conflicts regarding the specification are buffered. Hence, they can be used for the next step of the synthesis. 4.3 Specification-Compliant and Controllable Trajectories A trajectory is said to be controllable if, in every reachable state of the plant, the control is able to realize the desired plant behavior by control interventions. These are represented by the condition and event inputs in the model of the uncontrolled behavior of the plant. If this property is not fulfilled for a trajectory, it will be removed from the candidate set. The abortion points from the foregone section are representing
Figure 5. Principle of backward search for controllable steps.
deadlocks in specification-compliant state space. For these deadlocks we examine, if they could be avoided by setting a control input during an earlier step in the trajectory. Therefore, the backward search described in [11] and earlier works is utilized. It explores the uncontrollable pre-region of such a deadlock and tries to find a controllable step. At this controllable step, a control intervention could avoid the Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 10
reaching of the deadlock. Figure 5 shows the principle of the backward search in this approach. The results will be the base for generating the models for the process controller. Finally, if several controllable and specification-compliant trajectories are found, the one with the lowest possible count of state transitions is chosen. Our current approach is based on a complete observable state space. Future works will consider an incomplete observable state space, like the approach for safety controllers in [11]. 4.4 Distribution and Code Generation The result of the foregone section is a set of monolithic control functions. For a distributed process control (with communication) this set must be distributed into local controller models. Based on the modular modeling, the determined controllable and specification-compliant trajectories are divided in partial or local trajectories. The steps of each local trajectory are related to only one module. The control model for each plant component control is represented by the corresponding local trajectory, under the assumption of complete observability. Currently the distribution and code generation have to be done semi-automatically. But in future works this should be automated.
5. Conclusion This work introduces a synthesis approach for process control which avoids the calculation of the complete reachable state space. Based on a specification of the desired system behavior and a well-formed formal model of the uncontrolled plant behavior, we determine specification-compliant and controllable trajectories through the uncontrollable state space of the plant without complete calculation of the whole reachable state space. These trajectories are used to generate the process control model. Adapted concepts from earlier works, namely the backward search and the distributed synthesis, complete the synthesis. Even if the last described steps are still under research, the approach shows a way to deal with the issue of computational complexity for the synthesis of process control.
Acknowledgement This work is supported by the German Research Foundation under reference HA 1886/17-1.
References [1]
G. Barrett and S. Lafortune, On the synthesis of communicating controllers with decentralized informationstructures for discrete-event systems, in Proceedings of the 37th IEEE Conference on Decision & Control, Tampa, Florida, USA. IEEE, December 1998. Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 11
[2]
K. Rohloff and J. van Schuppen, Approximation minimal communicated event sets for decentralized supervisorycontrol, in Proceedings of the IFAC World Congress, Prague, Czech Republic, July 2005.
[3]
M. Iordache and P. Antsaklis, Supervisory Control of Concurrent Systems, ser. Systems and Control: Foundations & Applications. Birkhäuser Boston, 2006.
[4]
R. Leduc and P. Dai, Synthesis method for hierarchical interface-based supervisory control, in Proc. of 26th American Control Conference, New York City, USA, July 2007, pp. 4260–4267.
[5]
X. Guan, Distributed supervisory control of forbidden conditions, and automated synthesisand composition of task controllers, Ph.D. dissertation, The Graduate School University of Kentucky, 2000.
[6]
P. Starke and S. Roch, Analysing signal-net systems, Humboldt-Universität zu Berlin, Berlin, Tech. Rep., September 2002.
[7]
H.-M. Hanisch and M. Rausch, Net condition/event systems with multiple condition outputs, in ETFA Emerging Technologies and Factory Automation, Paris, France, October 1995, pp. 592–600.
[8]
J. Thieme, Symbolische Erreichbarkeitsanalyse und automatische Implementierung strukturierter, zeitbewerterter Steuerungsmodelle, ser. Hallenser Schriften zur Automatisierungtechnik. Logos-Verl., 2002.
[9]
J. Desel and W. Reisig, Lectures on Petri Nets I: Basic Models, LNCS 1491. Springer-Verlag, 1998, ch. Place/transition Petri nets, pp. 122–173.
[10] D. Missal and H.-M. Hanisch, Modular plant modelling for distributed control, in IEEE Conference on Systems, Man, and Cybernetics, Montreal, Canada, October 2007, pp. 3475–3480. [11] D. Missal and H.-M. Hanisch, Synthesis of Distributed Safety Controllers with Incomplete State Observation, In: Annual Conference of the IEEE Industrial Electronics Society (IECON´2009), proceedings. Porto, Portugal 2009. [12] Lüder, A. and Hanisch, H.-M., Synthesis of admissible Behavior of Petri Nets for partial order Specifications, 5th international Workshop on discrete event Systems (WODES 2000), Kluwer Academic Press, 2000, pp. 409-420 [13] Pinzon, L.; Jafari, M.; Hanisch, H.-M. and Zhao, P., Modelling admissible behavior using event signals, IEEE Transactions on Systems, Man and Cybernetics (SMC 2004), Part B: Cybernetics, 2004, 34, pp. 1435-1448 [14] Missal, D. & Hanisch, H.-M., Synthesis of distributed controllers by means of a monolithic approach, Proceedings of the Conference on Emerging Technologies and Factory Automation (ETFA), 2006, 356-363
Synthesis Approach for Distributed Process Control H.-C. Lapp, D. Missal and H.-M. Hanisch 12
