Verification of Logic Controllers for Continuous Plants Using Timed Condition/Event-System Models 1

Transcription

1 Automatica - Special Issue on Hybrid Systems, 35:3, March, Verification of Logic Controllers for Continuous Plants Using Timed Condition/Event-System Models 1 S. Kowalewski, S. Engell, J. Preußig and O. Stursberg 2 Suggested running title - Verification of Logic Controllers for Continuous Plants Subtitle - A modular and timed discrete event modeling framework is used to analyze the correct function of logic controllers for continuous processes in a rigorous manner. Keywords - Formal Verification, Programmable Logic Controllers, Distributed Control Systems, Discretization of Continuous Systems, Hybrid Systems, Condition/Event Systems, Timed Automata. Abstract - An approach to the formal verification of logic controllers for processes with switched continuous dynamics is presented. The method builds on modular, timed discrete event models of the plant and the controller. Subsystems with continuous dynamics are approximated algorithmically. The formal verification consists of determining the reachable discrete states of the resulting model and comparing it to a set of undesired states. For this purpose, the tool HyTech is applied. The approach is illustrated by the treatment of a process engineering example. 1 Portions of this paper were presented at the 13th IFAC World Congress, San Francisco, USA, 1996, in (Kowalewski and Preußig, 1996b) 2 Process Control Laboratory, Chemical Engineering Department, University of Dortmund, D Dortmund, Germany. Corresponding author S. Kowalewski. Tel ; Fax ; s.kowalewski@ct.uni-dortmund.de j99_keps_automatica.doc / Word 7 / HP 4000 PS

2 1 INTRODUCTION This contribution deals with the problem of analyzing the behavior of technical systems which are composed of a logic controller and a plant with continuous dynamics which can be switched by the controller outputs. The work is motivated by the current situation in the processing industry where such constellations are widespread nowadays due to the increasing use of programmable logic controllers (PLCs) or distributed control systems (DCSs). The major part of the software running on these systems performs logic control functions. This occurs in the classical applications of logic controllers as, for example, process supervision to avoid unwanted states of the process or damage to the equipment, sequence control, or startup and shutdown procedures. Even if the core part of the automation software is for continuous control, it will be supported by a large portion of discrete control logic being responsible, e.g., for the supervision of sensor inputs and outputs to actuators with respect to violation of thresholds for the values and the rates of change, their replacement by default values in case of assumed failures, or switching the mode of operation. Both from the point of view of economic plant operation and from the point of view of safety and environment protection, it is highly desirable, that the enormous amount of control softand hardware which processes discrete signals and performs logical operations works correctly. Design errors in the control logic are much more costly than in continuous controllers (which usually are put to manual operation if they do not work properly). In contrast, whereas continuous controllers can be and in some cases even really are designed using sophisticated methods and extensive simulation studies, the discrete control logic is still produced in a much less systematic manner. In the worst but not unusual case, incomplete 2

3 specifications are implemented directly in low-level code which has then to be improved by testing on-site. The described situation has led to a number of activities in the process industry, the related standardization organisations and process control system vendors to support a systematic and less error-prone development process of logic control software. Notable examples are the standards ISA SA88 (ISA, 1995) which proposes a certain structure of the sequence control logic for batch processes, and IEC 1508 (IEC, 1996) which includes a reference model for the software development lifecycle of safety related software. This model presents a systematic development process consisting of several successive steps as e.g. requirements specification, architecture design, system and module design. The result of each step is first compared to the requirements from the previous step and, after coding, tested against specifications on a suitable level of abstraction. Both activities are termed "verification" whereas the overall aim, to show that the safety requirements are met, is called "validation" and builds on all the single verifications steps. Note that in this paper, a different notion of verification is used. A further initiative to improve the logic control software reliability is represented by the "Good Manufacturing Practice" guidelines of the FDA (FDA, ) which, among many other requirements, demand that all relevant information about the control logic, its development process, and changes to it, has to be documented carefully and discussed with experts both inside the companies and from authorities outside. All the mentioned guidelines complement standard methods for systematic safety analysis of process designs and operating procedures like HAZOP (CCPS, 1985) which usually are not applied to check control logic. These examples show that there exist a number of approaches to improve the development process of logic control software. However, all these methods are not strictly formal which 3

4 means that the representations do not have a mathematical foundation and and activities cannot be realized completely algorithmically. This implies that the success of their application relies to a certain extent on the intuition and experience of the user. In this paper, a formal verification approach is presented which builds on formal models of the logic controller, the plant and the behavior specifications for the closed-loop system, and uses mathematical procedures for transforming and analyzing these models. In the development process of logic control software, it can be applied when the complete control system consisting of the already designed controller and the given plant has to be checked against specifications for the behavior of the controlled process. Thus, it complements the final validation testing. It should not be seen as a substitute for testing because in this approach, all possible reactions of the continuous plant in all conceivable situations including equipment failures have to be included in the model, and in practice, this is can only be achieved up to a some level of certainty and complexity. Still, there may be an enormous benefit from a systematic exploration of the huge space of all possible combinations and sequences of events if compared with discussions based solely on common sense. The notion of formal verification originates from computer science where, in general terms, it means a mathematical proof that a model of an algorithm fulfills given formal properties. In the last decades, different representations and methods have been developed and, in the recent years, some of them have been applied successfully in the area of hardware and communication protocol design (see Clarke and Kurshan, 1996, for a survey). In the context of this paper, i.e. logic controllers for processing systems, the pioneering work goes back to Moon et al. (1992) for control programs represented in Relay Ladder Logic. They applied the symbolic model checking method according to Burch et al. (1992) in which the system to be 4

5 verified is modeled as a finite state machine and the specifications of the desired behavior are represented by temporal logic expressions. The approach has been extended to include plant models and recent applications show that the formal verification of logic controllers for processes of moderate size is possible (Probst et al., 1997). The continuous dynamics of subsystems of the plant are discretized in an elementary manner: The range of values of each continuous variable is partitioned into intervals and the model simply describes the transitions between these intervals. Timers are captured in the same qualitative fashion by neglecting the timer value and keeping only two states, running and elapsed. This information is not sufficient for checking real-time constraints, e.g., whether a controller response to a plant event is fast enough to avoid unwanted process behavior. A verification method based on a switched continuous model and, in principle, avoiding any abstraction has been suggested by Dimitriadis et al. (1996 and 1997). The reachability problem is reformulated as an optimization problem in the discrete time domain which can be solved by Mixed Integer Programming. Basically, the optimization determines the worst possible controller behavior meaning that the system is most often in an undesired region of the continuous state space. The approach is general in the sense that it can be applied to hybrid systems as well as to purely discrete or purely continuous systems. Its strength lies in the ability to take advantage of well tested and efficient optimization procedures. A limitation is given by the fact that the size of the Mixed Integer Program grows with the product of the number of discrete time steps and the number of equations describing and the plant and logical expression describing the controller. It is therefore unclear whether this approach can handle problems of realistic size. 5

6 In this contribution an approach is presented which builds on recent extensions of model checking to capture real-time and hybrid dynamics, and introduces a modular, block-oriented modeling framework for hybrid systems. It aims at applications where formal verification requires a quantitative analysis of the interaction between timers or threshold values in the logic control program and the plant dynamics. The particular modeling paradigm used is that of timed condition/event systems. Subsystems with continuous dynamics are mapped to a timed condition/event system by an automatic abstraction procedure. The resulting models for plant and controller are composed and analyzed by means of HyTech, a tool from computer science for the analysis of timed and hybrid automata. The remainder of the paper is organized as follows. To provide a motivation for the practical need for formal verification of logic control programs and to give an impression of the type of problems found in practice, we start with a simple process engineering example. It is used throughout the paper to illustrate important concepts. In Sec. 3, the methodology of the approach is sketched. Section 4 describes the modeling framework including the approximation procedure for continuous systems. Aspects of the analysis and results for the example are presented in Section 5. A discussion concludes the paper. 2 EXAMPLE The following example of a batch evaporation process serves to motivate the verification problem considered in this paper. Fig. 1 shows the piping and instrumentation diagram of the evaporator plant. The following production sequence takes place. First, the solution which has to be separated is filled into tank T1 and the solvent is evaporated until a desired concentration 6

7 of the dissolved substance is reached. During the evaporation stage, the condenser C1 is in operation and collects the vapour coming from T1. When the desired concentration is reached, the material is drained from T1 into T2 as soon as T2 is available (i.e. emptied from the previous batch). A post-processing step then takes place in T2, before the material can be pumped out of T2 to a downstream part of the plant. We focus our attention on the problem of the appropriate reaction of the controller to a cooling breakdown in the condenser. This failure leads to a temperature and pressure increase in the condenser tube C1 and the evaporator tank T1, if the evaporation process is not stopped. It has to be avoided that the pressure in C1 rises above an upper limit. To achieve this, the heating in T1 has to be switched off before the safety pressure valve (not shown in Fig. 1) is triggered. This, in turn, causes a decrease of the temperature of the material in T1. When the temperature in T1 becomes too low, crystallization leads to precipitation of solids which spoils the batch. This, of course, is also an undesired situation. Thus, the timespan between the cooling failure and switching-off of the heating is critical: it has to be short enough such that the pressure increase is limited but on the other hand has to be as long as possible such that crystallization will not occur. The described desired reaction of the controller can be implemented either by a limit switch which indicates a critical temperature in the evaporator or, for example to save the costs of the sensor, by a waiting time in the control program. Fig. 2 shows control code for both possibilities. The variables are explained in Table 1. The representation in Fig. 2 is a Sequential Function Chart (SFC) according to the IEC 1131 standard (IEC, 1992). In particular, action blocks are used to specify the control actions performed in each step. An action block consists of a qualifier, an action name, and a manipulated variable. The leftmost 7

8 branch of Fig. 2 represents the normal operation sequence. In the undisturbed case, the system will leave the step Evaporating when the desired concentration is reached. The part branching to the right describes the control actions during an emergency shut-down after a cooling breakdown. Alternative 1 represents the implementation of a waiting time between the cooling failure and stopping the heater. In alternative 2, a limit switch for an alarm temperature in T1 is used. As discussed above, in both cases, the controller will open valve 18 and start pump 1 to drain T2 as soon as the flow of cooling agent is too low. The corresponding actions are labeled with the qualifier "S", which means that the variables V18 and P1 are set to TRUE and will remain TRUE when the step is inactive again. In alternative 1, the label "RD t#5m" on the third action in the step Draining T2 and switching off the heating symbolizes that the heating is switched off with a delay of 5 minutes, even if the step has become inactive in the meantime. In alternative 2, the heating is stopped when the condition TempAlarm=TRUE forces the control program to move to the second step. In both cases, as soon as T2 will be empty, the SFC will switch to the subsequent step and open valve 15. When T1 is empty and the heating is switched off, the controller assumes the system to be in a state of safe shutdown. The main problem is to determine whether both control programs (in particular the choice of the waiting time or the threshold temperature, respectively) will prevent, under any circumstances, that the pressure and the temperatures in T1 and C1 become too high or that the material in T1 starts to crystallize. Of course, this question is not depending on the fact that the control law is realized as a computer program. However, even if it would be a guideline for an operating procedure, it cannot be answered by intuition because the plant behaviour is too complex. And, obviously, on-line testing is not the method of choice. Even 8

9 simulation is difficult, because a cooling failure may happen at any point during a batch run and thus at any possible state of the system. Of course, in this simple example it would be possible to determine the worst case scenarios and simulate them. But this will be impossible or at least very tedious for more complex problems. In these cases, the only way to make sure that the proposed control program will fulfill its task is to apply a formal verification method. 3 THE GENERAL APPROACH The example in the previous section demonstrates the typical situation which is encountered when logic controllers for continuous processes have to be verified. Three elements are given: First, there is the plant to control. It may be existing already or be in the planning phase. In both cases, usually semi-formal descriptions (e. g. flowcharts) and further knowledge about the physical behavior are available. Second, a control program is given which usually was created from experience and first principles based reasoning on the basis of a more or less detailed specification. And as the third element, some information about the desired behavior of the process is given, usually formulated in natural language. Given the situation described above and the incentive to clearly distinguish between plant and controller behaviors and specifications, the formal verification method consisting of the steps illustrated in Fig. 3 is proposed. The grey blocks represent steps which can be performed automatically if appropriate tool support is available (the plant modeling step can only be automated partly, cf. the next section). The major effort required is to build a model of the plant. This model has to capture the uncontrolled behavior of the plant, that is, all possible undesired situations, disturbances, faults and even obviously wrong operator actions have to 9

10 be included. Otherwise, it is not possible to prove that a critical situation is reliably prevented by the controller. Then, the control program has to be translated into the same modeling framework, so that a composition of the plant model and the controller becomes possible. The composition of the models of the plant and the controller constitutes the model of the controlled plant. This model can then be analyzed and compared to a formalized description of the desired plant behavior. In the approach presented in the following sections, this will be a check whether undesired discrete states are still reachable under control. Fig. 4 shows a more detailed representation of the modeling step for the plant. Two paths from the real system to the model are possible: Either a plant module is directly modelled as a timed discrete event system using available knowledge of the process, or a (switched) continuous model is built using first principles and then approximated automatically. The first option is appropriate if the natural level of abstraction for the subsystem model is discrete (e.g., on/off valves). If the system under consideration has non-trivial continuous dynamics, the second way usually is less error-prone. We present an approximation procedure in Sec MODELLING BY TIMED CONDITION/EVENT SYSTEMS Since the model of the uncontrolled plant is not restricted to the nominal behavior but has to include all relevant failures and disturbances, its complexity usually is much larger than, e.g., simulation models for the undisturbed behavior. Therefore, a modeling framework is needed which offers the possibility to build structured models of large and complex systems from small modules. This requires a concept of interaction between subsystems. In the case of 10

11 discrete event systems (DES), this is usually achieved either by conditioning transitions on states of another module (e.g. in Petri nets) or by synchronization of events (e.g. for automata). A framework combining both concepts is provided by the Condition/Event (C/E) systems according to Sreenivas and Krogh (1991a). In this section we review basic notions of C/E systems and present a real-time extension. Then, a procedure is described which maps continuous dynamical systems into timed C/E systems. 4.1 Untimed Condition/event systems C/E systems were introduced to model interconnected discrete event and hybrid systems in a modular, block diagram and signal flow oriented fashion similar to continuous dynamical systems. When developing the model, Sreenivas and Krogh were motivated by the observation that in existing DES models the interaction of systems is either based on synchronization of events or conditioning of event occurence depending on state information. This distinction is also well known from logic controller programming languages and from the field of switching circuits (e.g. edge-triggered function block inputs in contrast to regularly scanned inputs in the IEC 1131 standard (1992)). To incorporate both concepts into a single, unified representation of interconnected DES, two classes of signals are defined over the continuous time axis which can be input or output signals of a system: condition signals and event signals (cf. Fig. 5). Formally, a condition signal c( ) is a right continuous function c: [t 0, ) C with limits from the left, with C being a non-empty and finite set of conditions. So, condition signals are piecewise constant and their values correspond to discrete states. An event signal e( ) is a function e: [t 0, ) E 0 = E {0} for which e(t 0 ) = 0 (the null or zero event) and {t [t 1, t 2 ] e(t) 0} is finite for all finite 11

12 intervals [t 1, t 2 ] [t 0, ) and E is a nonempty and finite set of events. Event signals are pointwise nonzero and carry information about currently occuring state transitions. The set of all condition signals and all event signals on [t 0, ) is written as C(C, t 0 ) and E(E, t 0 ), respectively. In general, a C/E system has a conditon input signal u(t), an event input signal v(t), a condition output signal y(t) and an event output signal z(t). The corresponding sets of conditions or events are U, V, Y, and Z, respectively. The basic definition of a C/E system defines its input/output behavior by a mapping which gives the set of admissible output signal C( Yt, 0) E( Zt, 0) trajectories for each possible input signal trajectory: Σ : C( Ut, ) E( Vt, ) 2, 0 0 such that for any input (u( ), v( )) C(U, t 0 ) E(V, t 0 ) there exists at least one output (y( ), z( )) C(Y, t 0 ) E(Z, t 0 ) fulfilling (y( ), z( )) Σ(u( ), v( )). This definition only characterizes the input/output behavior and provides no specification or restriction of the model of the internal behavior of a C/E system. In (Sreenivas and Krogh, 1991a) any formal representation which describes an input/output relation according to the definition above is called a C/E model. Note that a C/E model does not necessarily have to be discrete. In particular, even continuous dynamics are possible as long as the system interacts with its environment by condition and event signals. Examples for C/E models based on Petri nets were presented by Sreenivas and Krogh (1991b) and Hanisch et al. (1997). In our verification approach, we apply two different C/E models, discrete state C/E systems and C/E timers. 12

13 Discrete state C/E systems were introduced by Sreenivas and Krogh to model untimed DES. They are defined as follows. Definition 1 (Discrete state C/E system). A discrete state C/E system is a 9-tupel S=(U, V, X, Y, Z, f, g, h, x 0 ) where U, V, Y, Z are the same as above, X is a finite set of discrete states; f, g and h are functions defined as: f: X U V 0 2 X -, the state transition function satisfying x X, u U: x f(x,u,0), g: X U Y, the condition output function, and h: X X V 0 Z 0, the event output function satisfying x X: 0=h(x,x,0). X is the set of discrete states, V 0 and Z 0 symbolize that 0 is included. x 0 X is the initial state. Given a discrete state C/E system S and input signals u( ), v( ) defined on [t 0, ), the set of valid of state trajectories and output signals consists of all triples of signals (x( ), y( ), z( )) defined on [t 0, ) satisfying x(t) f(x(t - ), u(t - ), v(t)), (1) y(t) = g(x(t), u(t)), (2) z(t) = h(x(t - ), x(t), v(t)), (3) where x(t - ) and u(t - ) are abbreviations of lim 0 x(t- ) and lim 0 u(t- ). The semantics of a discrete state C/E system can be interpreted as an untimed finite state machine which is embedded in a time-dependent signal space formed by the condition and event input and output signals. The two kinds of signals realize the above mentioned interaction concepts of conditioning and synchronization in a specific way: The condition input signal constitutes conditions for changes of the state of the system (hence can disable or 13

14 enable certain transitions) whereas the event input signal can force transitions in the sense that they must occur at the instance when a specific event is received. Transitions can also take place spontaneously and can be nondeterministic. The two properties x X, u U: x f(x,u,0) and x X: 0=h(x,x,0) of f and h guarantee that transitions and output events will not be forced by condition input changes. To illustrate the use of condition and event signals, a discrete state C/E model of the condenser from the evaporator example in Sec. 2 is considered. Assume that the state x of the condenser is described in a sufficiently accurate manner by three discrete values X={"off", "on", "danger"}. The last element is representing the situation of dangerously high pressure. Note that in this simple example the state of the system represents the equipment status ("off", "on") as well as a classification of the operational mode ("danger"). In more complex examples, it may be useful to distinguish between these two levels of abstraction. The concept of forcing by event signals is useful if, for instance, the cooling can be switched off by a control command "stop". The state transition function f then has to represent the fact that for the current state "on" and an incoming event "stop" the set of possible next states is a singleton, namely "off" (see Eq. 4, the "-" is the so-called "don't-care" symbol and means that any value of u(t ) is allowed.). {off} = f (on, -, stop) (4) A different description is necessary when, for example, the possibility of a transition to the state "danger" depending on the state of the heating in the evaporator has to be described. Obviously, the pressure in the condenser will only rise to a dangerous value if the heating is 14

15 on. This is the concept of enabling or disabling and can be expressed in the C/E framework in the following manner (cf. Eq. 5 and Eq. 6). "Heating on" and "heating off" are values of a condition signal coming from the evaporator to the condenser. {off, danger} = f (off, heating on, 0) (5) {off } = f (off, heating off, 0) (6) 4.2 Timed Condition/Event Systems In addition to the discrete dynamics, quantitative timing information has to be incorporated in this framework to be able to formally verify control programs with timers against real-time constraints and to represent the plant dynamics at least in an approximate fashion. This can be done within the same conceptual framework by introducing C/E timers as a new class of C/E systems. C/E timers can be coupled to the untimed subsystems by condition and event signals again. Thus, the basic C/E system definition applies also to timers. The advantage is obvious: Describing the timing is part of the modular concept. The untimed dynamics and the timing conditions are separated and can be modeled independently. Timing information can be added to an already existing model without changing any block of the C/E block diagram by simply adding the necessary timer blocks and connecting them to the appropriate discrete blocks. Such configurations consisting of at least one discrete state C/E system and a C/E timer are called timed C/E systems (TCESs for short) (Kowalewski and Preußig, 1996a). C/E timers were introduced in (Engell et al., 1995) and are defined as follows. Definition 2 (C/E timer). 15

16 Given an initial time t 0 I R and a threshold time T θ I R + {0}, a C/E timer θ on [t 0, ) is a mapping θ: E(V θ, t 0 ) C(Y θ, t 0 ) E(Z θ, t 0 ), with V θ = { t θ :=0 }, Y θ = { 0< t θ <T θ, t θ T θ }, and Z θ = { t θ = T θ }, such that for any event input signal v θ (t) E(V θ, t 0 ), the output (y θ (t), z θ (t)) is determined by y θ () t = " 0 < tθ < Tθ" " tθ Tθ" if τ( t) < T, θ if τ( t) T, θ (7) and z () t = θ " tθ = Tθ" if τ( t) = Tθ, 0 else (8) in which τ: [t 0, ) [t 0, ) is the clock function given by τ(t 0 )= T θ +ε with ε arbitrary but fixed and ε > 0, and for all t [t 0, ): θ τ ()= 1 if v ( t t ) = 0 undefined else, (9) and τ ( t) := 0 if vθ ( t) 0. (10) A C/E timer can be interpreted as an alarm clock which is reset and started by the input event t θ := 0 and which indicates that it has reached its threshold time T θ by sending out an event t θ = T θ. The condition outputs 0< t θ <T θ and t θ T θ provide the information that the threshold has not yet been reached or has been crossed, respectively. The evaporator example can be used again to illustrate the use of C/E timers to include timing constraints into C/E models. Suppose, that the period T is known in which the pressure 16

17 increases up to the critical value after a cooling failure. This information can be incorporated into the untimed model by introducing a C/E timer with a threshold time T. It is started by the event "cooling_failure" which is emitted by the condensator model, and it returns an event "t = T" which triggers the transition from "off" to "danger". Figure 6 shows the trajectory of τ( ). The cooling failure happens at time t 1 and T = t 2 t 1. The corresponding parts of the functions h and f of the condenser are given by Eq. 11 and Eq. 12. cooling_failure = h (on, off, -) (11) {danger} = f (off, heating on, t = T) (12) The fact that the C/E system framework is a modular input-output description in which different types of interactions of logical systems can be expressed conveniently, and all external quantities are defined over continuous time makes it possible to couple C/E systems and continuous systems in a straightforward manner. The result can be the basis of a general modular modeling paradigm for hybrid systems in which C/E systems are connected to switched DAE-systems which include threshold functions to generate condition and event outputs from continuous variables (Krogh, 1993; Engell et al., 1996; Engell and Hoffmann, 1996). This framework is useful for, e.g., simulation of hybrid systems. For the purpose of verification, the model is too general. If continuous dynamics are part of the model, they have to be approximated by TCESs. This is described in the next section. 17

18 4.3 Approximation of continuous models We assume that the continuous system which has to be approximated is given as a system of switched ODEs of the form n m x = f x, u, x X IR, u U IR ( ) (13) where X denotes the n-dimensional continuous state space and U the input space. For the input trajectories u(t) we assume that they are piecewise constant. Furthermore, f shall be Lipschitz-continuous between the switching points of u(t). We introduce a rectangular partition of the continuous state space which is derived from those thresholds of the state variables which are crucial for a particular controller verification problem. The controller receives the information whether the values of the state variables are below or above certain landmarks and computes an appropriate command depending on this discrete information. The threshold detection corresponds to a partition of the range of each state variable x j into a finite number of discrete intervals (qualitative states), e. g. "low", "normal", "high" and "critical" for the temperature in a chemical reactor. Formally, we define a mapping D X : X {1,..., p 1 )}... {1,..., p n } which divides the state space X into a finite set of n-dimensional rectangular partition elements. D X is characterized by an ordered set of landmarks: L = { l, 0,..., l, }, j {1,..., n}, (14) j j j p j for each x j, where a landmark l j,k, k {1,..., p j } corresponds to one of the p j thresholds. For each partition element, the mapping D X generates an index vector d = (d 1,..., d n ), which 18

19 specifies the number of the actual discrete interval (defined by two consecutive landmarks) for each x j : k if x j [ l j, k 1, l j, k [, k {1,..., p j 1} d j =. (15) p if [ j x j l j, p 1, l, ] j j p j We assume that X is a bounded region such that the physically admissible range of x j is limited by l j,0 andl p j. The symbol D x is used to denote the vector of intervals which refers to the index vector d. As shown in Fig. 7, D X produces a partitioned state space D X consisting of π elements D x where each of these represents a cell of hyperbox (or rectangular) shape: D X = { D x 1,..., D x π }, π= p j j. (16) A discretization operator D U similar to D X is applied to the input space U leading to a discrete input space D U. In the following we assume that D u can only change when D x changes. This corresponds to the usual closed-loop setting in which the logic controller changes its output as a reaction on a threshold crossing of the process. The objective now is to approximate the dynamic system given by Eq. 13 together with the partitions D X and D U by TCES as described in Sec The idea is to interprete the region between adjacent gridpoints on the cells boundaries as discrete states and to determine transitions by calculating continuous trajectories between different states. This is different to earlier approaches (Stursberg et al., 1997a and 1997b) in which the cells were directly mapped into the discrete states. 19

20 We introduce a grid on the boundary of each cell D x, i. e. assigning (n-1) n g gridpoints equally spaced to all sides of the hyperboxes yields a grid with meshsize: ε jk, l jk, l jk, n g ( ) = (17) The gridpoints are labelled by γ d,g, where d is again the cell identifier. The n-dimensional vector g indicates component-wise the number of the gridpoint (starting with zero on the cell s corner with the lowest landmark indices), except of the invariant coordinate of the boundary section which gets a - or a + for the lower or upper side, respectively, of the hyperbox. Next, a set Σ d of discrete states σ d,s is introduced where σ d,s represents the region of the cell boundary that is enclosed by 2 (n-1) gridpoints lying adjacent on a boundary section (i. e. one side of the hyperbox D x). As shown in Fig. 8, the state identifier s is identical to the highest indexed gridpoint identifier g being involved. The behavior within D x, decribed by Eq. 13, is mapped into a transition system by determining the set of feasible successor states for each σ d,s Σ d. First, we define classes of continuous trajectories in a cell D x: Definition 3 (Forward/Backward cell trajectories) Let D x D X be a cell indexed by d, and ( D x) its boundary. Assume that [t 0, t e ] is a time interval on which a continuous solution of Eq. 13 exists where x(t 0 ) ( D x), x(t e ) ( D x) but x(]t 0, t e [) ( D x). Then, the solution of Eq. 13 in [t 0, t e ] with x(t 0 ) = γ d,g is called the forward + cell trajectory, denoted by ϕ ( γ dg, ), and the solution with x(t e ) = γ d,g is the backward cell 20

21 trajectory ϕ ( γ dg, ). Additionally, the solution of Eq. 13 in [t 0, ] with x(t 0 ) = γ d,g and x(]t 0, [) ( D x) is a forward cell trajectory of γ d,g denoted by ϕ + ( γ ) dg,. Transitions are assigned to those pairs of discrete states in D x between which at least one cell trajectory exists: Definition 4 (Cell-internal transition (CIT)) For two discrete states σ d,s1, σ d,s2 in Σ d, a cell-internal transition, denoted by φ d,s1 s2, is introduced, if + for one γ d,g constituting σ d,s1 ϕ ( γ dg, ) where x(t e ) lies in the region of σ d,s2, or for one γ d,g assigned to σ d,s2 ϕ ( γ dg, ) with x(t 0 ) in the region of σ d,s1. The set of all transitions starting in σ d,s1 is denoted by Φ d,s1 and Σ T d,s1 is the set of target states being reachable via transitions in Φ d,s1. For ϕ + ( γ dg, ), with γ d,g being assigned to σ d,s1, a selfloop-transition φ d,s1 s1 is introduced. In the case that the integration endpoint lies on the border between two or more regions all corresponding discrete states are included in the set Σ T d,s1. Technically, the determination of all transitions is performed by evaluating the forward and backward cell trajectories for all γ d,g in D X (if D X is not left). Note that the gridpoint and state indexing stated above allows two 21

22 different indices for boundary sections inside of D X. Thus, for boundaries shared by two cells, only the index carrying a - for the invariant coordinate is used. For numerical integration, the 4/5 th -order Runge-Kutta-method with step-size adaption was used. Besides leaving a cell region, the stopping criteria to capture cycling attractors as well as asymptotic approaches to steady states were an upper bound for the residence time in a cell and a lower bound for the progress of the integration. Definitions 3 and 4 lead to a time valuation of transitions in a straightforward manner if an interval enclosing the integration times of all cell trajectories connecting two cells is determined: Definition 5 (Transition time interval (TTI)). For t 0 = 0 in the definitions of ϕ + ( γ dg, ) and ϕ ( γ dg, ), t e is the duration for which the cell trajectory is defined. If T e is the set of durations of all forward and backward cell trajectories corresponding to a transition φ d,s1 s2, its transition time interval is given by t d,s1 s2 = [min(t e ), max(t e )], respectively by t d,s1 s1 = [0, ] for a self-loop transition. Using these definitions, the cell trajectories constituting a discrete transition φ d,s1 s2 are interpreted as representatives for all continuous trajectories connecting the states σ d,s1 and σ d,s2. It is clear that these representatives can only estimate the set of actually possible transitions and do not necessarily form a strict inclusion of all feasible behaviors. Neither the set of reachable states nor the TTI are a conservative approximation. Thus, to be useful in a 22

23 formal verification approach, additional care has to be taken that the discretization is chosen fine enough to ensure conservativeness. When all CITs and the corresponding TTIs are computed, the representation as a TCES is straightforward. A discrete state C/E system is introduced with a state space equal to the set of the cell boundary regions, X = Σ d, and with a discrete transition for any CIT. The timing information is given by the TTIs. They can be regarded as the lower and upper bound for the instances at which a transition takes place. Thus, for any discrete transition two thresholds define its timing: a lower threshold T l gives the time at which the transition can happen at the earliest instance, a upper threshold T u gives the time at which the transition has to take place eventually. In other words, the condition "time is beyond T l " enables the transition while the condition "time is below T l " disables it. And the event "time reaches T u " will force the transition if it has not happened already in the meantime. It is obvious that this behavior can nicely be modeled by means of TCESs. 4.4 Application of the approximation procedure to the example To illustrate the approximation procedure sketched above, we return to the evaporation process from Sec. 2. Now, it is assumed that a switched continuous model is available. The set of differential and algebraic equations is listed in Table 2. It decribes the emergency shutdown sequence. The process consists of three phases: first a period with condenser malfunction and heat input, where the temperature ϑ and pressure p in (the closed) tank T1 rise due to continuing evaporation, and where T2 is drained. In this case, the heater is switched off when a corresponding alarm temperature is reached. Now, ϑ decreases because of heat transfer to the environment. First vapor condenses and, after reaching atmospheric pressure, the 23

24 temperature falls below the boiling point. This process step, denoted phase 2, is finished when T2 becomes empty. Changing the positions of V15 and V18, the liquid content of T1 is drained into T2, where T1 is assumed to be ventilated in this stage and the temperature decrease proceeds. The task is to verify, whether the alarm temperature was chosen sufficiently high to avoid that ϑ falls below a crystallization temperature before the liquid level in T1, denoted H 1, becomes zero. Thus, we have a hybrid 3-dimensional system with the state vector x = (ϑ, H 1, H 2 ) and a discrete input vector u = (Heat, V15, V18). For the computations, we determined values for the parameters from Tab. 2 for an existing laboratory plant. The continuous state space is partitioned by introducing the following sets of landmarks: L ϑ = {338, 373, 385, 395} K, L H1 = {0.01, 0.2, 0.22} m and L H2 = {0.01, 0.28, 0.3} m (see Fig. 9). The temperature landmarks refer to the crystallization temperature, the initial evaporation temperature and the two alternative alarm temperatures. The level thresholds correspond to the state empty and an upper and a lower bound for the initial operation mode. Choosing a grid with one additional gridpoint between two adjacent landmarks, a system with 208 discrete states results. Timed transitions between these states were determined by a MATLAB implementation of the approximation procedure described above, leading to a set of about 2800 transitions for the different u-vectors in the 3 process phases. A reachability analysis (see Sec. 5) for different cases of this model can answer the question whether a set of forbidden states S F (the states in plane with ϑ = 338 K) is reachable from a set of start states S 0. To illustrate the effect of the alarm temperature on the correctness of the controller implementation we present two simulations of continuous trajectories starting in x = (373 K, 24

25 0.2 m, 0.28 m) in Fig. 9: While the trajectory for switching of u at ϑ = 385 K ends within the discrete state indexed by b122s011, (which belongs to S F ) the trajectory corresponding to an alarm temperature ϑ = 395 K reaches the value H 1 = 0.01 m before the dissolved substance can crystallize. (Note that the simulations of Fig. 9 do not represent the verification procedure.) The fact that the endpoints of both trajectories lie closely together again illustrates the problem that the success of the approach is sensitive to the granularity of discretization. It is necessary to choose a sufficiently fine meshsize for the discrete model. The improvement of the approximation accuracy as well as the reduction of the computational effort ( floating point operations were necessary to compute the timed discrete model here) are topics of current investigations. 5 ANALYSIS The last step of the verification procedure according to Fig. 3 is the analysis of the model of the controlled plant. In our approach, this problem is solved by model checking, similar to the approach by Powers et al. (see Sec. 1). However, since TCESs permit the formulation of realtime constraints, purely discrete approaches like (Burch et al., 1992) are not appropriate and model checking techniques for real-time systems have to be chosen. Such techniques were recently developed for the Timed Automata (TA) model by Alur and Dill (1994) (Henzinger et al., 1994). To apply these methods we take advantage of the fact that TCESs are equivalent in expressive power to a subclass of TAs called Safety TAs (Huuck et al. 1997a). This allows us to transform TCES models to TA models and use existing model checkers for TAs, e.g. KRONOS (Olivero and Yovine, 1993) or HyTech (Henzinger et al., 1996). 25

26 TAs are a generalization of Büchi Automata by adding real-valued variables, called clocks, the value of which increases by a rate of one and which can be reset by transitions. Transitions can be made dependent on the values of the clocks by clock constraints, i.e. Boolean combinations of formulas of the form c#n with c being a clock, # {=, <,, >, } and n a nonnegative integer. A TA is then defined over an alphabet Σ as a 4-tuple A = (Q, q 0, C, E) with: Q, a finite set of locations (discrete states), q 0 Q, the initial location, C, a finite set of clocks, E Q Q Σ (C) 2 C, the set of transitions, and an acceptance condition. A transition (q, q', a, δ, ρ) E represents a transition from q to q' on the input symbol a conditioned by the clock constraint δ (C) ( (C) is the set of constraints over C) resulting in a reset of the clocks ρ 2 C. A Safety TA is a TA whose acceptance condition is trivial (i.e. every state is an accepting state). The behavior of a TA is defined by accepting runs which correspond to timed words of the TA. Timed words are infinite sequences of pairs consisting of a symbol σ from Σ and a time stamp representing the point in time when a transition labeled with σ was made. The set of all timed words of a TA forms the language of the TA. The state of a TA comprises the location and the values of the clocks. The reachability analysis of TAs is an iterative procedure determining the set of states which are reachable from an initial state, i.e. an initial location and initial values for the clock variables. In the symbolic variant, which is used by HyTech, the algorithm is based on a set representation of polyhedral subspaces in the clock variable space and operations on polyhedral sets as, e.g., intersection. The iteration roughly works as follows. Each time a location is reached with a certain polyhedron representing the possible clock values, it is checked whether the location has been reached before and, if yes, whether the current polyhedron is completely contained by the union of the polyhedra with which the location has been visited before. If this is the 26

27 case, this branch of the search tree is left. If not, the polyhedron is "stretched" by letting time pass which increases the clock standings. The resulting polyhedron can now be used to determine whether the transitions from the current location are possible. For each transition, it is intersected with the polyhedron representing the corresponding clock constraint. If the intersection is empty, the timing conditions prevent the transition. If not, the transition is possible. For each possible transition the iteration continues. It can be proved that the algorithm terminates for rational values of the thresholds (Alur and Dill, 1994). Obviously, the definition of the behavior of a TCES and a TA is based on completely different concepts: A TCES is specified as a relation associating a set of output signal trajectories to input signal trajectories, whereas the behavior of a TA is defined as a set of timed words. However, a translation from TCESs to TAs can be realized by a two-step procedure. First, the underlying transition system of the TCES is mapped into an isomorphic state transition structure for the TA. Then the relevant conditions and events for each transition of the TCES are mapped into transition constraints for the TA. An algorithm for automatic translation of a TCES into a TA is given in (Huuck et al., 1998). Technical problems of this procedure arise from the subtle details which the following examples may illustrate: In TCESs, an input event "t = T" from a timer can force a transition to occur. In TAs, a guard of the kind "t = T" only is a necessary condition for the occurence of the transition at time T. This problem can be solved by invariants, which are logical propositions on the clock variables and have to be true in the assigned location. The location must be left, if the invariant becomes false. However, a location cannot be entered if the invariant is false. So, if the above behavior of the TCES is modeled by an invariant "t T" in the corresponding 27

28 location of the TA, an additional location with the invariant "t>t" has to be introduced to express that the TCES state may be reached again after the clock has crossed its threshold. For a transition in a TCES at time t, the condition input signal from a C/E timer is evaluated at time t, whereas the constraints in TAs are relevant for the time of the transition. Consequently, "<"-relations in TCESs have to be mapped into -relations in TAs. We applied the analysis approach to both an approximated model and a model which was built as a TCES model from the outset. In the latter case, we used the waiting time variant of the evaporator example (Fig. 2, left part). The model consists of 4 TCESs, one for the evaporator, one for the condenser, one for the post-processing tank, and one for the controller. Due to space limitations it cannot be presented here in detail. The sizes of the subsystems vary between 5 and 11 discrete states and 1 to 3 clocks. The requirements are formulated locally as forbidden states for the three subsystems of the plant: "pressure is above a critical value" in the condenser, "material has crystallized" in the evaporator, and "overflow" in the postprocessing tank. The four TCESs and their interconnection were translated to TAs with corresponding synchronizations. When fed into HyTech, it first builds the product of the TAs and then performs the above described reachability analysis. Choosing waiting time = 3 (minutes), the result is that the forbidden location "material has crystallized" in the TA for the evaporator is reachable. If the waiting time is increased to 7, the analysis will reveal that the location "pressure is above a critical value" in the condenser TA can be reached. Instead of trying different settings of the parameter waiting time, it is possible to perform a parametric analysis. In this case, the values of timing constraints and switching points can be left 28

29 unspecified and HyTech will determine the range of these values for which a given set of states is reachable or not. If waiting time is declared as a parameter, the result is that for 4 waiting time 5 none of the three forbidden locations is reachable. 6 CONCLUSIONS An approach to the formal verification of logic controllers for continuous processes was presented which addresses several problems of practical relevance: It is based on a clear distinction between the plant and the controller which permits a transparent, process specific formulation of the requirements. The underlying framework is modular and signal oriented which helps to build complex models. It permits the formulation of real-time constraints which addresses the fact that most industrial logic control programs contain timers and that dynamical processes can often be described sufficiently well by real-time models. Continuous models are approximated automatically by timed discrete event models. This provides a systematic procedure to develop verifiable models of continuous systems. The approach takes advantage of existing techniques and tools for the verification of realtime and hybrid systems. 29