Designing Dependable Logic Controllers Using Algebraic Specifications Jean-Marc Roussel, Jean-Marc Faure
Total Page:16
File Type:pdf, Size:1020Kb
Designing dependable logic controllers using algebraic specifications Jean-Marc Roussel, Jean-Marc Faure To cite this version: Jean-Marc Roussel, Jean-Marc Faure. Designing dependable logic controllers using alge- braic specifications. Control Engineering Practice, Elsevier, 2006, 14 (10), pp.1143-1155. 10.1016/j.conengprac.2006.02.002. hal-00340844 HAL Id: hal-00340844 https://hal.archives-ouvertes.fr/hal-00340844 Submitted on 22 Nov 2008 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Designing dependable logic controllers using algebraic specifications Jean-Marc Roussel(1), Jean-Marc Faure(1)(2) (1)LURPA, ENS de CACHAN, 61 avenue du président Wilson, F-94235 CACHAN Cedex, France. (2)SUPMECA, 3 rue Fernand Hainaut, F-93407 Saint-Ouen Cedex, France. Abstract Formal methods can strongly contribute to improve dependability of logic controllers during design, by providing means to avoid flaws due to designers' omissions or specifications misinterpretations. This article presents a formal synthesis method that is aimed at obtaining the control laws of a logic system from specifications given in natural language. The formal framework that underlies the method is a Boolean algebra for logic Discrete Event Systems. The operations and relations of this algebra enable to represent controller specifications formally, to detect inconsistencies within specifications and to generate control laws from a consistent specifications set. The scalability of this method is clearly demonstrated with the help of the case study of an experimental manufacturing line. Keywords: Discrete Event Systems; Formal methods; Dependability; Logic controllers; Algebraic approach; Boolean algebra; Synthesis 1. Introduction using model-checking techniques (Bérard et al., 1999) pro- vided that control laws can be formally represented in the Logic controllers are used in an increasing number of sys- form of state automata (De Smet & Rossi, 2002; Klein et al., tems such as embedded systems, transport systems, power 2003). The second approach (Ramadge & Wonham, 1989; plants and production systems. Numerous components of Wang, 2000; Zaytoon & Carré-Ménétrier, 2001; Nourelfath our daily lives and of the economy at large thereby rely upon & Niel, 2004; Gouyon et al., 2004) is intended to deduce di- the successful operations of these controllers. This explains rectly the control laws from the specifications, without any why dependability of logic controllers is a major concern for involvement of a designer (or at least in limiting involve- control engineers. ment to a strict minimum). To improve dependability of logic controllers, it is impor- The work presented herein is aimed at avoiding flaws dur- tant to make sure that no flaw due to a misinterpretation of ing the design of logic controllers, by proposing a formal the specifications or to any other reason has been introduced method that enables the deduction of a complete and consist- during design. A logic controller can in fact only be referred ent formal description of control laws, from specifications to as dependable if its behaviour fulfils the application re- expressed in natural language. A specific algebraic model- quirements and therefore must not include design errors ling framework underlies this formal method; this feature leading to non-functional or hazardous behaviours. prevents state space explosion that is often encountered when applying the previously mentioned formal methods to To solve this problem, numerous formal methods have industrial size problems. Moreover the formal description of been proposed during the last decade. They are aimed either control laws obtained at the end of design can be easily trans- at detecting flaws once the controller is designed or at avoid- lated into a program developed in a standardised language ing flaws during design. The first approach consists in letting for programmable logic controllers. The aim of this formal the control system designer develop control laws based on method is indeed to provide a seamless whole from specifi- the requirements contained in the set of specifications and cations analysis to implementation. then in automatically analysing a formal representation of these control laws. Such an analysis may be carried out by This article is organised as follows. Section 2 is dedicated The search for solutions to this system of m equations gen- to the objective and the main principles of this method as erally requires a reformulation of the problem in the form of well as to the introduction to the formal framework. The ba- a state model, thereby the introduction of other variables, sic definitions, operations and relations of this framework state variables Xj recording the system evolution. Despite are discussed in section 3, while section 4 deals with symbol- its advantages, this approach displays the disadvantage of ic calculus possibilities, focusing mainly on equations sys- merely providing specific solutions, at a given point in time, tem solving. Once the formal bases are defined, the design as exemplified in the form of “Yi becomes true when Uk be- method is presented in section 5 thanks to a simple example. comes false and if variables X2 , X5 and X8 are false while The result obtained is compared in section 6 with a SFC de- variables X3 and X10 true”, but never a general solution that veloped by a traditional engineering approach, so as to point holds true regardless of the date considered. Moreover mod- out two significant benefits of the proposed formal method. elling a state automaton-based dynamic system corresponds In order to assess the scalability of this method, section 7 de- to an imperative design approach, whereas control system scribes a case study of a controller including 72 control laws. specifications are in most cases given in declarative form. The results obtained in this case study provide investigation The transition from one of these representation modes to the prospects discussed in the last section. other one always requires a major effort. For both reasons, the proposed design method relies upon 2. Objective a special formalism, named algebra II (called I), that was de- veloped by our research team. The basic elements of this for- The starting point of the proposed design method is the set malism consist of time functions Ui()t , Yi()t . The of specifications inherent in the control system, as expressed operations that enabled us to compose these functions lead to in natural language. These specifications describe the ex- defining an algebraic structure in which the simultaneous pected behaviour of the control system, in the form of vivac- manipulation of Boolean variable states, state changes of ity constraints (what the control system must accomplish) these variables (events) and physical time values is possible. and safety constraints (what the system must not accom- plish), and may include constraints coming from actuator In sum, the proposed design method for dependable logic and sensor technology choices. All of these constraints are to control systems calls for developing a set of control laws in be expressed in the form of logic assertions, i.e., propositions the form of time functions, from specifications given in the that must be true for the desired control system (see section form of assertions in natural language. This method (Fig. 1) 5.1). At this point, however, it is important to highlight the requires formalizing specifications into relations within al- following points: gebra II , checking the consistency of the set of assertions and generating the expected control laws from the consistent • The control specifications of a logic system can make ref- set of specifications obtained. erence to logic variable states, to state changes of these Specifications in the form of assertions logic variables (events), or to physical time values. The expressed in natural language formalism that supports the design method is to be endowed with the capability of expressing these three Formalization of the specifications types of variables. 1 into algebra II relations • A set of specifications does not necessarily have to be Consistency checking consistent. The design method must therefore be capable 2 of detecting possible inconsistencies in the specifications and inconsistencies removal and then of proposing solutions to solve these problems. 3 Generation of control laws Control laws are to be designed on the basis of this list of assertions. For a dynamic logic control system with n Control laws Boolean input variables U t to U t and m Boolean out- 1() n() Fig. 1 Method overview put variables Y1()t to Ym()t , the target control laws must specify at each date t the output values as functions of input A large part of the method – consistency checking and values, which leads to (Cassandras & Lafortune, 1999): control laws generation – is automated thanks to a symbolic Y1()t = f1()U1()…t ,,Un()t calculus software tool able to manipulate algebra II state- ments. Conversely inconsistencies removal will always re- … quire the designer's competence. Ym()t = fm()U1()…t ,,Un()t 2/13 3. Formal framework: a Boolean algebra for binary SR() s, r ()t = st()∨ signals []∃t1 < t : ()()st()1 = 1 ∧ ()∀d ∈ (t1, t] : ()rs⋅ ()d = 0 3.1 Concept of binary signals RS() s, r ()t = ()st()∧ ¬rt() ∨ []∃t1 < t : ()()st()1 = 1 ∧ ()∀d ∈ []t1, t , ()rd()= 0 To describe the behaviour of logic systems, control engi- neers must refer to logic variables states, to state changes of these variables (events), and to physical time values. This ft() explains why they are used to employ commonly timing di- d d t agrams that describe, in an intuitive way, logic signals be- ()df⁄ ()t haviour.