Verification of Hybrid Controlled Processing Systems based on - - PowerPoint PPT Presentation

SLIDE 1

ISIC 2001

Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction

Goran Frehse · Olaf Stursberg · Sebastian Engell

Process Control Laboratory, University of Dortmund, Germany

Ralf Huuck · Ben Lukoschus*

Chair of Software Technology, University of Kiel, Germany

*visiting SRI International, Menlo Park, CA, USA

ISIC 2001 · Mexico City · September 5–7, 2001

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.1

SLIDE 2

ISIC 2001

Introduction and Motivation

Given: hybrid process ↔ distributed controller Need: proof of a global property of this system Problem: if the system is

• of high complexity and
• involves parallel and hierarchical structures,

verification is difficult. Basic idea: “divide and conquer”

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.2

SLIDE 3

ISIC 2001

The Approach

process ↔ controllers

System

✟ ✟ ✟ ✟ ✙ ❄ ❍❍❍❍ ❥

Decomposition

(physical, functional)

M1 ↔ M2 . . . Mn

Modules

❄ ❄ ❄

Modeling and Abstraction

S1 ↔ S2 . . . Sn

Automata

(timed, hybrid)

❄ ❄ ❄

Model Checking

(algorithmic)

(a1, c1) (a2, c2) (an, cn) Local Properties

(A/C-style)

❍❍❍❍ ❥ ❄ ✟ ✟ ✟ ✟ ✙

Deduction

(manual, tool-supported)

(a, c)

Global Property

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.3

SLIDE 4

ISIC 2001

Example: A Multi-Product Batch Plant

• located at: Process Control Lab,

University of Dortmund (Germany)

• chemical batch production process
• used for teaching:
• process control
• PLC programming
• case study in research projects:
• modeling
• formal verification
• scheduling
• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.4

SLIDE 5

ISIC 2001

Example: A Multi-Product Batch Plant

❄

V311 ✁

✁ ❆ ❆ ✂ ✂ ✁ ✁

B31

❄

V312 ✁

✁ ❆ ❆ ✂ ✂ ✁ ✁

B32

✲ ✐

P1

❄ ✲

V111

✟ ✟ ❍ ❍ r ✲

V112

✟ ✟ ❍ ❍ r ✲

V113

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

B11

✲ ✐

P2

❄ ✲

V121

✟ ✟ ❍ ❍ r ✲

V122

✟ ✟ ❍ ❍ ✲

V123

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

B12

✲ ✐

P3

❄ ✲

V131

✟ ✟ ❍ ❍ r ✲

V132 ✁

✁ ❆ ❆ r ✲

V133

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

B13

✲

V211 ✁

✁ ❆ ❆ r ✲

V212

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

R21

✐

M

M1

✲

V221

✟ ✟ ❍ ❍ r ✲

V222

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

R22

✐

M

M2

✲

V231

✟ ✟ ❍ ❍ r ✲

V232

✁ ✁ ❆ ❆ ✂ ✂ ✁ ✁

R23

✐

M

M3

• 2 products:

blue, green

• 3 basic substances:

yellow, red, white

• 3 reactors for

production of blue, green

• PLC-based distributed

control system

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.5

SLIDE 6

ISIC 2001

Decomposition

process ↔ controllers

System

✟ ✟ ✟ ✟ ✙ ❄ ❍❍❍❍ ❥

Decomposition

(physical, functional)

M1 ↔ M2 . . . Mn

Modules

❄ ❄ ❄

Modeling and Abstraction

S1 ↔ S2 . . . Sn

Automata

(timed, hybrid)

❄ ❄ ❄

Model Checking

(algorithmic)

(a1, c1) (a2, c2) (an, cn) Local Properties

(A/C-style)

❍❍❍❍ ❥ ❄ ✟ ✟ ✟ ✟ ✙

Deduction

(manual, tool-supported)

(a, c)

Global Property

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.6

SLIDE 7

ISIC 2001

Decomposition

❄

V311 ✁

✁ ❆ ❆ ✂ ✂ ✁ ✁

B31

❄

V312 ✁

✁ ❆ ❆ ✂ ✂ ✁ ✁

B32

✲ ✐

P1

❄ ✲

V111

✟ ✟ ❍ ❍ r ✲

V112

✟ ✟ ❍ ❍ r ✲

V113

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

B11

✲ ✐

P2

❄ ✲

V121

✟ ✟ ❍ ❍ r ✲

V122

✟ ✟ ❍ ❍ ✲

V123

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

B12

✲ ✐

P3

❄ ✲

V131

✟ ✟ ❍ ❍ r ✲

V132 ✁

✁ ❆ ❆ r ✲

V133

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

B13

✲

V211 ✁

✁ ❆ ❆ r ✲

V212

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

R21

✐

M

M1

✲

V221

✟ ✟ ❍ ❍ r ✲

V222

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

R22

✐

M

M2

✲

V231

✟ ✟ ❍ ❍ r ✲

V232

✁ ✁ ❆ ❆ ✂ ✂ ✁ ✁

R23

✐

M

M3

• Plant Hardware
• tanks, pumps
• reactors, mixers
• valves, pipes
• sensors
• Control Software
• raw material delivery
• production
• resource management
• emergency shutdown,

maintenance, . . .

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.7

SLIDE 8

ISIC 2001

Modeling and Abstraction

process ↔ controllers

System

✟ ✟ ✟ ✟ ✙ ❄ ❍❍❍❍ ❥

Decomposition

(physical, functional)

M1 ↔ M2 . . . Mn

Modules

❄ ❄ ❄

Modeling and Abstraction

S1 ↔ S2 . . . Sn

Automata

(timed, hybrid)

❄ ❄ ❄

Model Checking

(algorithmic)

(a1, c1) (a2, c2) (an, cn) Local Properties

(A/C-style)

❍❍❍❍ ❥ ❄ ✟ ✟ ✟ ✟ ✙

Deduction

(manual, tool-supported)

(a, c)

Global Property

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.8

SLIDE 9

ISIC 2001

Modeling and Abstraction

Modeling framework: communicating linear hybrid automata (CLHA) CLHA are LHA with

• continuous input/output variables
• labels for directed and undirected communication:
• send
• receive
• synchronization
• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.9

SLIDE 10

ISIC 2001

Modeling and Abstraction

✲

V211 ✁

✁ ❆ ❆ ❄

V311 ✁

✁ ❆ ❆ ❄

V311 ✁

✁ ❆ ❆ ❄

V311 ✁

✁ ❆ ❆

hmax

✂ ✂ ✁ ✁

B31

CLHA model of Tank B31

• draining (V211 closed): level sinks with rate r1 = 1 cm s−1
• filling (V211 open): level rises with rate r2 = 2 cm s−1
• desired level: 0 < h < hmax

✍✌ ✎☞ ⑦

draining dh = −r1 h ≥ 0

❧ ✲

h ≤ 0

❄

fill?

✍✌ ✎☞ ⑦

filling dh = r2 h ≤ hmax

✲

h ≥ hmax

✻

drain?

✍✌ ✎☞ ⑦

empty

✍✌ ✎☞ ⑦

• verflow
• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.10

SLIDE 11

ISIC 2001

Model Checking

process ↔ controllers

System

✟ ✟ ✟ ✟ ✙ ❄ ❍❍❍❍ ❥

Decomposition

(physical, functional)

M1 ↔ M2 . . . Mn

Modules

❄ ❄ ❄

Modeling and Abstraction

S1 ↔ S2 . . . Sn

Automata

(timed, hybrid)

❄ ❄ ❄

Model Checking

(algorithmic)

(a1, c1) (a2, c2) (an, cn) Local Properties

(A/C-style)

❍❍❍❍ ❥ ❄ ✟ ✟ ✟ ✟ ✙

Deduction

(manual, tool-supported)

(a, c)

Global Property

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.11

SLIDE 12

ISIC 2001

Model Checking

The Assumption/Commitment (A/C) paradigm

assumption a expected behavior of the environment commitment c guaranteed behavior of the module

The Semantics of an A/C Formula (a, c)

S | = (a, c) ⇐ ⇒ “if the environment of module S fulfills a, then module S fulfills c”

Example: A/C Property of Tank B31

a “fill” happens before h ≤ 0 and “drain” before h ≥ hmax c Tank B31 does not run empty and does not overflow

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.12

SLIDE 13

ISIC 2001

Model Checking

Verifying B31 | = (a, c)

Model checkers usually do not support A/C directly, but:

• a can be expressed as another automaton A

(sending “fill” and “drain” at the right time)

• c can be expressed as the reachability property

“the states empty and overflow are never reached” Now use a hybrid model checker to show B31||A | = ¬reach(empty) ∧ ¬reach(overflow) A is much smaller than the full environment of B31 ⇒ model checking becomes feasible

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.13

SLIDE 14

ISIC 2001

Deduction

process ↔ controllers

System

✟ ✟ ✟ ✟ ✙ ❄ ❍❍❍❍ ❥

Decomposition

(physical, functional)

M1 ↔ M2 . . . Mn

Modules

❄ ❄ ❄

Modeling and Abstraction

S1 ↔ S2 . . . Sn

Automata

(timed, hybrid)

❄ ❄ ❄

Model Checking

(algorithmic)

(a1, c1) (a2, c2) (an, cn) Local Properties

(A/C-style)

❍❍❍❍ ❥ ❄ ✟ ✟ ✟ ✟ ✙

Deduction

(manual, tool-supported)

(a, c)

Global Property

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.14

SLIDE 15

ISIC 2001

Deduction

Given

• the local properties S1 |

= (a1, c1), . . . , Sn | = (an, cn)

• additional conditions B

we use deductive analysis to derive

• a global property (a, c) of the system.

A theorem prover (e.g., PVS) can be used to support the analysis.

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.15

SLIDE 16

ISIC 2001

Deduction

❄

V311 ✁

✁ ❆ ❆ ✂ ✂ ✁ ✁

B31

✲ ✐

P1

❄ ✲

V111

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

B11

✲ ✐

P3

❄ ✲

V131

✟ ✟ ❍ ❍ ✂ ✂ ✁ ✁

B13

✲

V211 ✁

✁ ❆ ❆ ✂ ✂ ✁ ✁

R21

✐

M

M1

aB11 P1 can deliver yellow to B11 cB11 yellow is available for R21 aB13 P3 can deliver white to B13 cB13 white is available for R21 aR21 yellow and white are available for R21 cR21 R21 contains blue in time aCtrl R21 contains blue in time cCtrl “fill” happens before h ≤ 0 . . . a P1 and P3 can deliver raw materials c B31 does not run empty

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.16

SLIDE 17

ISIC 2001

Computation Results

Verifying a part of the multi-product batch plant Method Memory Time conventional 70 MB 600 sec. A/C (17 specs) 17× < 1 MB 17× < 10 sec.

• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.17

SLIDE 18

ISIC 2001

Related Work

• Hungar (1993)

A/C and data abstraction for CSP programs

• Dingel, Filkorn (1995)

A/C and data abstraction for infinite state systems

• Xu, Swarup (1998)

A/C in Hoare logic and duration calculus

• de Alfaro, Alur, Grosu, Henzinger, Kang (2000)

A/G and refinement for reactive modules

• Henzinger, Minea, Prabhu (2001)

A/G for hierarchical hybrid systems

• Amla, Emerson, Namjoshi, Trefler (2001)

A/G for synchronous transition diagrams

• Shankar (2000) The SAL framework
• G. Frehse et al.: Verification of Hybrid Controlled Processing Systems based on Decomposition and Deduction – p.18