Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction Goran Frehse · Olaf Stursberg · Sebastian Engell Process Control Laboratory, University of Dortmund, Germany Ralf Huuck · Ben Lukoschus * Chair of Software Technology, University of Kiel, Germany * visiting SRI International, Menlo Park, CA, USA ISIC 2001 · Mexico City · September 5–7, 2001 G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.1 ISIC 2001
Introduction and Motivation Given: hybrid process ↔ distributed controller Need: proof of a global property of this system Problem: if the system is • of high complexity and • involves parallel and hierarchical structures, verification is difficult. Basic idea: “divide and conquer” G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.2 ISIC 2001
The Approach process ↔ controllers System ✟ ❍❍❍❍ Decomposition ✟ ✟ (physical, functional) ✟ ✙ ❄ ❥ M 2 . . . M n ↔ M 1 Modules Modeling and Abstraction ❄ ❄ ❄ . . . Automata ↔ S 1 S 2 S n (timed, hybrid) Model Checking (algorithmic) ❄ ❄ ❄ ( a n , c n ) Local Properties ( a 1 , c 1 ) ( a 2 , c 2 ) (A/C-style) ❍❍❍❍ ✟ Deduction ✟ ✟ (manual, tool-supported) ❥ ❄ ✟ ✙ ( a, c ) Global Property G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.3 ISIC 2001
Example: A Multi-Product Batch Plant • located at: Process Control Lab, University of Dortmund (Germany) • chemical batch production process • used for teaching: ◦ process control ◦ PLC programming • case study in research projects: ◦ modeling ◦ formal verification ◦ scheduling G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.4 ISIC 2001
Example: A Multi-Product Batch Plant ❄ B11 ❄ B12 ❄ B13 P1 P2 P3 • 2 products: ✲ ✲ ✲ ✐ ✐ ✐ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ blue, green V131 ❍ ✟ ✟ ❍ r r V121 V123 ❍ ✟ ✟ ❍ ✟ ❍ r ❍ ✟ V113 r ❍ ✟ ❍ ✟ • 3 basic substances: V111 V112 V122 V133 ✟ ✟ ❍ ❍ r ✟ ❍ ✟ ❍ ❍ ❍ ✟ ✟ ✟ ✟ ❍ ❍ V132 ✁ ❆ ✁ ❆ yellow, red, white M1 M2 M3 ✐ ✐ ✐ M M M R21 R22 R23 ✲ ✲ ✲ ✲ ✲ ✲ • 3 reactors for ✲ ✲ ✲ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ production of V231 ✟ ✟ ❍ ❍ r V221 V222 ✟ ❍ ✟ ❍ r ❍ ✟ ✟ ❍ ✁ ❆ ❆ ✁ V232 V212 blue, green ✟ ❍ r ✟ ❍ V211 ✁ ✁ ❆ ❆ B31 B32 ✲ ✲ • PLC-based distributed ✲ ✲ ✲ ✲ control system ✂ ✂ ✁ ✁ ✂ ✂ ✁ ✁ V311 ✁ V312 ✁ ✁ ❆ ❆ ❆ ❆ ✁ ❄ ❄ G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.5 ISIC 2001
Decomposition process ↔ controllers System ✟ ❍❍❍❍ Decomposition ✟ ✟ (physical, functional) ✟ ✙ ❄ ❥ M 2 . . . M n ↔ M 1 Modules Modeling and Abstraction ❄ ❄ ❄ . . . Automata ↔ S 1 S 2 S n (timed, hybrid) Model Checking (algorithmic) ❄ ❄ ❄ ( a n , c n ) Local Properties ( a 1 , c 1 ) ( a 2 , c 2 ) (A/C-style) ❍❍❍❍ ✟ Deduction ✟ ✟ (manual, tool-supported) ❥ ❄ ✟ ✙ ( a, c ) Global Property G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.6 ISIC 2001
Decomposition ❄ B11 ❄ B12 ❄ B13 P1 P2 P3 • Plant Hardware ✲ ✲ ✲ ✐ ✐ ✐ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ◦ tanks, pumps V131 ✟ ✟ ❍ ❍ r r V121 V123 ✟ ❍ ❍ ✟ ✟ ❍ r ❍ ✟ ◦ reactors, mixers V113 r ❍ ✟ ❍ ✟ V111 V112 V122 V133 ✟ ✟ ❍ ❍ r ❍ ✟ ❍ ✟ ✟ ✟ ❍ ❍ ✟ ✟ ❍ ❍ ◦ valves, pipes V132 ✁ ❆ ✁ ❆ M1 M2 M3 ✐ ✐ ✐ M M M ◦ sensors R21 R22 R23 ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ • Control Software ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ ✂ ✁ V231 ✟ ✟ ❍ ❍ r ◦ raw material delivery V221 V222 ❍ ❍ ✟ ✟ r ❍ ✟ ❍ ✟ ❆ ❆ ✁ ✁ V232 V212 ✟ ❍ r ✟ ❍ ◦ production V211 ✁ ✁ ❆ ❆ B31 B32 ✲ ✲ ◦ resource management ✲ ✲ ✲ ✲ ◦ emergency shutdown, ✂ ✂ ✁ ✁ ✂ ✂ ✁ ✁ maintenance, . . . V311 ✁ V312 ✁ ❆ ✁ ❆ ❆ ❆ ✁ ❄ ❄ G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.7 ISIC 2001
Modeling and Abstraction process ↔ controllers System ✟ ❍❍❍❍ Decomposition ✟ ✟ (physical, functional) ✟ ✙ ❄ ❥ M 2 . . . M n ↔ M 1 Modules Modeling and Abstraction ❄ ❄ ❄ . . . Automata ↔ S 1 S 2 S n (timed, hybrid) Model Checking (algorithmic) ❄ ❄ ❄ ( a n , c n ) Local Properties ( a 1 , c 1 ) ( a 2 , c 2 ) (A/C-style) ❍❍❍❍ ✟ Deduction ✟ ✟ (manual, tool-supported) ❥ ❄ ✟ ✙ ( a, c ) Global Property G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.8 ISIC 2001
Modeling and Abstraction Modeling framework: communicating linear hybrid automata (CLHA) CLHA are LHA with • continuous input/output variables • labels for directed and undirected communication: ◦ send ◦ receive ◦ synchronization G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.9 ISIC 2001
Modeling and Abstraction CLHA model of Tank B31 • draining ( V211 closed): level sinks with rate r 1 = 1 cm s − 1 • filling ( V211 open): level rises with rate r 2 = 2 cm s − 1 • desired level: 0 < h < h max draining empty ✎☞ ✎☞ h ≤ 0 dh = − r 1 ✲ ❧ ⑦ ⑦ ✍✌ ✍✌ h ≥ 0 V211 ✁ ✻ ❆ ✁ ❆ B31 h max fill ? drain ? ✲ ❄ ✎☞ ✎☞ dh = r 2 ✲ ⑦ ⑦ ✍✌ ✍✌ h ≤ h max h ≥ h max ✂ ✁ ✂ ✁ 0 filling overflow V311 ✁ V311 ✁ V311 ✁ ❆ ❆ ✁ ❆ ✁ ✁ ❆ ❆ ❆ ❄ ❄ ❄ G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.10 ISIC 2001
Model Checking process ↔ controllers System ✟ ❍❍❍❍ Decomposition ✟ ✟ (physical, functional) ✟ ✙ ❄ ❥ M 2 . . . M n ↔ M 1 Modules Modeling and Abstraction ❄ ❄ ❄ . . . Automata ↔ S 1 S 2 S n (timed, hybrid) Model Checking (algorithmic) ❄ ❄ ❄ ( a n , c n ) Local Properties ( a 1 , c 1 ) ( a 2 , c 2 ) (A/C-style) ❍❍❍❍ ✟ Deduction ✟ ✟ (manual, tool-supported) ❥ ❄ ✟ ✙ ( a, c ) Global Property G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.11 ISIC 2001
Model Checking The Assumption/Commitment (A/C) paradigm expected behavior of the environment assumption a guaranteed behavior of the module commitment c The Semantics of an A/C Formula ( a, c ) S | = ( a, c ) ⇐ ⇒ “if the environment of module S fulfills a , then module S fulfills c ” Example: A/C Property of Tank B31 “ fill ” happens before h ≤ 0 and “ drain ” before h ≥ h max a Tank B31 does not run empty and does not overflow c G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.12 ISIC 2001
Model Checking Verifying B31 | = ( a, c ) Model checkers usually do not support A/C directly, but: • a can be expressed as another automaton A (sending “ fill ” and “ drain ” at the right time) • c can be expressed as the reachability property “the states empty and overflow are never reached” Now use a hybrid model checker to show B31 || A | = ¬ reach ( empty ) ∧ ¬ reach ( overflow ) A is much smaller than the full environment of B31 ⇒ model checking becomes feasible G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.13 ISIC 2001
Deduction process ↔ controllers System ✟ ❍❍❍❍ Decomposition ✟ ✟ (physical, functional) ✟ ✙ ❄ ❥ M 2 . . . M n ↔ M 1 Modules Modeling and Abstraction ❄ ❄ ❄ . . . Automata ↔ S 1 S 2 S n (timed, hybrid) Model Checking (algorithmic) ❄ ❄ ❄ ( a n , c n ) Local Properties ( a 1 , c 1 ) ( a 2 , c 2 ) (A/C-style) ❍❍❍❍ ✟ Deduction ✟ ✟ (manual, tool-supported) ❥ ❄ ✟ ✙ ( a, c ) Global Property G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.14 ISIC 2001
Deduction Given • the local properties S 1 | = ( a 1 , c 1 ) , . . . , S n | = ( a n , c n ) • additional conditions B we use deductive analysis to derive • a global property ( a, c ) of the system. A theorem prover (e.g., PVS) can be used to support the analysis. G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.15 ISIC 2001
Recommend
More recommend
