Design of Safe PLC Programs by Using Petri Nets and Formal Methods

Transcription

1 Design of Safe PLC Programs by Using Petri Nets and Formal Methods EUGEN IOAN GERGELY 1, LAURA COROIU 1, ALEXANDRU GACSADI 2 1 Department of Electrical Drives and Automation 2 Department of Electronics University of Oradea 1 Universitatii Str., Oradea ROMANIA egergely@uoradea.ro, lcoroiu@uoradea.ro, agacsadi@uoradea.ro Abstract: - The paper presents an approach which combines the formalism of Petri Nets and of model checking in order to deliver correct and dependable PLC programs. Based on SIPNs, a variant of PNs, the complete controller development process from an informal specification to the final implementation on a PLC is discussed. The SIPN formalized according to corresponding plant model enables the derivation of standard functional properties and the specific functional properties of the PLC control algorithm. These properties are verified and validated with the model checker tool Cadence SMV. In order to do this, the SIPN is translated into SMV input code, in which there are inserted the functional properties to be verified and validated, expressed by using Temporal Logic formulae. This correct SIPN is used as a basis for implementation. For the realization there are used standard PLC programming languages according to IEC It resulted that the approach provides correctness of the resulting PLC programs, which makes them much more dependable than direct implemented PLC code. In order to illustrate the approach steps a working example was used. Key-Words: - programmable logic controllers, signal interpreted Petri Networks, model checking 1 Introduction Today programmable logic controllers (PLCs) are the main equipment of automation in all areas from single machines to manufacturing plants and continuous processes. The increasing complexity of the control software and the rising of user-defined safety and functionality requirements necessitates new methods to provide proper control software in view of given requirements [1, 2]. Because of this growing complexity classical methods of designing PLC programs, like direct implementation, are no longer feasible. A method to handle these requirements lies in the application of formal methods in the PLC program design. It allows the application of formal verification and validation methods, which can assure that a program fulfills certain specified properties [3, 4, 5, 6]. The main purpose of using formal methods to design PLC programs is to derive a correct control algorithm prior to implementation and realization. In model-based approaches a model of the process under control is included in the analysis. Petri Networks (PNs) have shown good properties in modeling control algorithms [7, 8]. They proved to be able to express the causality and the concurrency of control algorithms in a transparent way. Signal Interpreted Petri Networks (SIPNs) are an extension of the basic PN framework. In addition to the potential of graphical representation and mathematical treatment of PNs, SIPNs allow explicit treatment of input/output facilities [9, 10]. The approach presented in the paper combines SIPNs and model checking in a framework which provides correct, thus dependable, PLC programs. The paper is structured as follows. In the next section are presented the basic concepts of SIPNs. Section 3 describes how to use formal methods in the control design process. In order to illustrate the approach steps, a complete controller development process, which includes the steps of design, verification, validation, implementation and realization on a PLC is presented in Section 4 through a working example. 2 The Formalism of SIPNs SIPNs are an extension of ordinary PNs [11] with input and outputs elements. A SIPN is a 10-tuple SIPN=(P, T, F, m 0, I, O, φ, ω, Ω, ν) with [9]: (P, T, F, m 0 ) - an ordinary PN with places P, transitions T, arcs F and binary initial marking m 0 I - a set of input signals O - a set of output signals φ - a mapping associating every transition with a firing condition ω - a mapping associating every place with an output ISSN: ISBN:

2 Ω - the output function which combines the output ω of all marked places ν - the variable definition which assigns a numeric data type according to [12] to every signal. Graphically there are two basic types of nodes, i.e. places and transitions, connected through directed arcs. Places are used to describe the controller state. These places can be marked (indicated by a token in the place) or non-marked. While a place is marked, it can influence its environment by setting one or more output functions. The state of the controller is given at any time by the set of marked places. The dynamic of the model is described by the flow of tokens through the net. To describe this flow, transitions that are connected to places via directed arcs are used. The firing of a transition removes the tokens from its input places and puts tokens in its output places. The firing of the transitions depends on its input signals. For the firing process there are five rules: 1. A transition is enabled if all its pre-places are marked and all its post-places are unmarked. 2. A transition fires immediately if it is enabled and its firing condition is fulfilled. 3. All transitions that can fire and are not in conflict with other transitions fire simultaneously. 4. The firing process is iterated until a stable marking is reached. 5. After a new stable marking is reached, the output signals are computed by evaluating the output functions of the marked places. Based on these rules the transitions that can fire in a given situation are detected and the next marking is calculated. 3 Formal Methods in the Control Design Process The process of control design is illustrated in Fig. 1. In most cases the designer of a control system starts with a given informal specification of the control system. The informal specification consists in a description of the uncontrolled process and requirements for the controlled systems, by using verbal descriptions, timing diagrams, equations, sketches, piping and instrumentation diagrams, etc. Direct requirements for the control algorithm are also possible. Fig. 1. Design process of control systems. The formalization represents the conversion of an informal specification into a formal specification (e.g., a SIPN). This conversion can be done by using computers, but it is not fully automatic and requires human expertise. The formalization of the informal specification consists in the following tasks: 1. Formalization of specific properties, which produces o set of properties to be fulfilled by the PLC or the controlled process. 2. Formal modeling of the uncontrolled process, which results in a process model that is needed in model-based approaches. 3. Direct formal modeling of the control algorithm, which can be done if the control problem given by the informal specification is very clear. Depending on the formal methods used, not all of these tasks have to be done. This paper focuses on the formalization of specific properties using temporal logic and model checking [13]. The implementation is the process of deriving the target-system dependent realization from the formal specification. Using one of the standardized PLC languages, the formal description of the control algorithm is implemented in a direct manner (by using a compiler) or indirectly (by using an interpreter implemented in the PLC). Generally, the realization includes hardware and software. Assuming a standard hardware with a well-defined functionality, the realization is in fact the program of the control algorithm (i.e., the software).for this, PLC languages according to [12] are more and more accepted. The verification and validation (V & V) are the main areas for applying formal methods in PLC programming [14]. Verification means the application of formal methods in order to prove that the control algorithm fulfills a given specification (i.e., standard functional properties), which yields important information about the correctness of the control algorithm. The properties investigated by verification are standard and hence can be assumed as already formalized. Therefore, the verification can be fully automated. In validation application specific functional properties of the control algorithm have to be formalized. Validation shows if the controlled process behaves as it should. The validation process uses as inputs the information from the informal specification and from realization. Hence, validation cannot be fully formal and cannot be fully automated, requiring the designers expertise. In this paper, in order to perform V & V it is used the same method: symbolic model checking. This is ISSN: ISBN:

3 a technique in which finite model of the system is built and the expected properties of the system are checked on this model. The system is modeled as a finite state transition system and the properties are expressed in a Temporal Logic [15]. Then, a search procedure is used to check whether the expected properties hold on the finite state transition system or not. In symbolic model checking the state space of the finite state transition system is not explicitly built, so Binary Decision Diagrams (BDDs) are used to represent the system states. The tool we use is Cadence SMV ( x.aspx). It requires on the one hand side a description of the control algorithm given in a text file and on the other hand a set of properties written in Temporal Logic. As a result, the model checker gives us a verdict (True/False) and a diagnosis which is a counterexample given as a trace. So, in order to use SMV, we have to translate the SIPN describing the control algorithm into SMV input code. Table 1. The PLC I/O signals. Type Name Meaning Input Start_button Starts one mixing cycle Input Tank_empty The tank is empty Input Tank_half The tank is filled with the necessary quantity of liquid A Input Tank_full The tank is filled with the necessary quantity of liquid B Output Open_Valve_1 Liquid A is filled into the tank Output Open_Valve_2 Liquid B is filled into the tank Output Open_Valve_3 The A+B mix is emptied from the tank Output Motor_on The A+B mix is stirred The informal specification (i.e., the expected behaviour) given above is formalized by developing the SIPN of the PLC control algorithm (see Fig. 3). 4 The Design Method: A Case Study The presented development approach was used to develop the PLC program for controlling the mixer in Fig. 2. Fig. 2. The mixing tank. The informal specification to be fulfilled by the mixer is as follows: After pressing the Start_button the liquid A is filled into the tank via Valve 1 until the input signal Tank half is received. Then, the liquid B is filled into the tank via Valve 2 until the level given by the input signal Tank full is reached. After this, the stirring motor M homogenizes the A+B mix for 60 seconds. Finally, the tank is emptied via Valve 3. The PLC I/O signals are given in Table 1. Fig. 3. The SIPN of the PLC control algorithm. The algorithm in Fig. 3 works as follows: in the initial state only P1 is marked and hence the output of the net is (Open_Valve_1, Open_Valve_2, Open_Valve_3, Motor_on) = (0, 0, 0, 0). Transition t1 fires when the start button is pressed (Start_button=1) and the tank is empty (Tank_empty=1). The token from P1 is removed and is generated in P2. Valve 1 is open, so the new output of the net is (1, 0, 0, 0). If in P1 the tank is not empty (Tank_empty=0), then t6 fires, also removing the token from P1 but putting it in P5. ISSN: ISBN:

4 After the filling level for liquid A is reached (Tank_half=1) when in P2, t2 can fire, thus moving the token from P2 to P3, which closes Valve 1 and opens Valve 2. When the filling level for liquid B is reached (Tank_full=1), then t3 fires and the token is moved from P3 to P4, thus starting the stirring motor M (Motor_on=1) for 60 seconds. The expiration of this time will fire t4, which moves the token from P4 to P5. The A+B mix is evacuated from the tank (Open_Valve_3=1) till the tank is empty. This will fire t5 which removes the token from P5 and puts it in P1, thus resulting the initial state again. The SIPN in Fig. 3 is used to formalize the standard functional properties and the specific functional properties of the PLC control algorithm. As mentioned in Section 3, the standard functional properties will be verified and the specific functional properties will be validated by model checking. For both of these the same tool -Cadence SMV- will be used. Therefore, all functional properties will be expressed as Temporal Logic formulae. The standard functional properties that the SIPN in Fig. 3 should fulfill are given in Table 2. It can be easily seen that the SIPN is implicitly safe due to its nature, so this property does not need any verification. Other properties, such as input dependence, can be verified by the analysis of the SIPN using Table 1. In order to verify that the algorithm is deterministic we have to examine each potential conflicting transitions in the SIPN. Since that in the SIPN model of the working example there are two such situations (t1 & t6, t4 & t6), the following properties are written: P1a: SPEC AG ~ (t1 & t6) (1) P1b: SPEC AG ~ (t4 & t6) (2) which means that it is always true (AG) that in the future (EF) transitions t1 & t6 and respectively transitions t4 & t6 do NOT (~) fire simultaneously. For verifying that the algorithm always terminates and never run in an infinite loop we create the variable eoc (End of Cycle) and the statement for its verification. For the working example its definition is: eoc := ~(t1 t2 t3 t4 t5 t6) (3) and the property which eoc has to comply with is: P2: SPEC AG EF eoc (4) In order to verify the output correctness property, it should be checked if the output signals are defined in every stable marking reached. For example, for the Motor_on output this would be: P3: SPEC AG EF ((eoc & Motor_on=0) (eoc & Motor_on=1)) (5) The other standard functional properties are inferred in a similar manner. Table 2. Standard Functional Properties of the SIPN. Property Definition Safety A SIPN is safe if the post-places of a transition need not to be checked to determine if the transition fires. Liveness When a transition or a set of transitions is no longer fireable, then part of the control algorithm doesn't work anymore (i.e. dead code). Reversibility The initial marking can always be reached again. Reachability A marking m' is reachable from a state m if there exists a sequence of inputs combinations such that a firing sequence starting from m has m' as a stable final marking. No Dynamic Two transitions t 1 and t 2 form a Synchronization dynamic synchronization if the firing of t 1 implies the simultaneous firing of t 2. Determinism The algorithm is deterministic if the transitions firing conditions at every branching are disjoint. Termination In a cyclic control algorithm at least one marking must be stable. The algorithm terminates if there is no self-loop at any place (i.e. never run in an infinite loop). Output correctness The output signals have to be formally correct, i.e. 0 or 1 at every Input dependence stage of the algorithm. Every input signal should have an influence on the control algorithm. For verifying the standard functional properties we use the tool Cadence SMV. It requires a description of the control algorithm written in a text file (.smv), in which is inserted the set of properties P1a, P1b, P2 and P3 written in Temporal Logic. If a checked property is fulfilled, SMV returns a True result. If a property is not fulfilled, SMV gives a False response and a counter-example as a trace. The verification shows that all above specified properties are fulfilled. This enables the inference of application specific functional properties (e.g. safety interlocks, disjoint activation of two output signals, etc.). These are formalized from the SIPN by manual synthesis, thus requiring the designer expertise. Some of the application specific functional properties which we want to be fulfilled by the working example are the followings: P4. It is forbidden that all three valves are open at the same time. Written in Temporal Logic this property is as follows: ISSN: ISBN:

5 P4a: SPEC AG ~((Open_Valve_1=1) & (Open_Valve_2=1)) (6) P4b: SPEC AG ~((Open_Valve_1=1) & (Open_Valve_3=1)) (7) P4c: SPEC AG ~((Open_Valve_2=1) & (Open_Valve_3=1)) (8) P5. Stirring in an empty tank cannot occur. In Temporal Logic this is: P5: SPEC AG (~(Tank_empty) EF ~(Motor_on=1)) (9) P6. Stirring starts only in a fully filled in tank, which in Temporal Logic is written as: P6: SPEC AG (~(Tank_full) EF ~(Motor_on=1)) (10) P7. Stirring does not start while a valve is open. In Temporal Logic this is written as: P7a: SPEC AG ~((Open_Valve_1=1) & (Motor_on=1)) (11) P7b: SPEC AG ~((Open_Valve_2=1) & (Motor_on=1)) (12) P7c: SPEC AG ~((Open_Valve_3=1) & (Motor_on=1)) (13) The validation of the application specific functional properties will be done with symbolic model verifier Cadence SMV as well. In order to do this, the Temporal Logic formulae of the specific functional properties P4 - P7 are inserted in the same.smv file as the Temporal Logic formulae of the standard functional properties. Launching Cadence SMV again on the.smv file yields True results, which means that the model is correct according to both standard and application specific functional properties. Fig. 4 shows the results for both verification and validation in a compact manner. Fig. 4. The results of V & V of functional properties. The V & V demonstrates that the SIPN in Fig. 3 is correct. Due to the fact that it gives visual feedback of the control flow, it is easy to apply and to implement, this correct SIPN serves as a basis for implementation. For the realization there are used standard PLC programming languages according to IEC [12]. In order to guarantee a correct realization the generation of the PLC code has to preserve the dynamic behaviour of the SIPN. 5 Conclusion The paper presents an approach to deliver correct and dependable PLC programs. Based on SIPNs, a variant of PNs, the complete controller development process from an informal specification to the final implementation on a PLC is discussed. This process includes the steps of design, verification, validation, implementation and realization. In order to illustrate the approach steps we used a working example. In the PLC programming SIPNs represents a tool that is capable of graphically describing sequential and concurrent algorithms, gives visual feedback of the control flow, it is easy to apply and easy to implement, resulting in fast codes. The SIPN formalized for the working example enabled the derivation of standard functional properties and the specific functional properties of the PLC control algorithm. Standard functional properties were verified using the Cadence SMV tool. For this, the SIPN model has been translated into a SMV input file, in which were inserted the standard functional properties also expressed in Temporal Logic. Then SMV has been used again in order to validate the application specific functional properties. In both cases SMV gave a True response, which means that our control algorithm is correct. The verified and validated SIPN according to corresponding working example model has been implemented in an IEC programming language. For the industrial realization of a controller standard PLC programming languages according to [2] are used. The properties of the SIPN can only be guaranteed for the implemented controller if the generation of PLC code from the SIPN preserves the dynamic behaviour of the latter. The presented approach combines SIPNs and model checking and provides correct, thus dependable, PLC programs. The dependability growth (in terms of safety and reliability) is undeniable, especially when compared with direct implemented PLC programs, although there are no metrics to estimate the dependability gain. ISSN: ISBN:

6 ACKNOWLEDGMENT This work was partially supported by a grant from the Romanian National University Research Council, PNCDI Program, ID-668/2008. References: [1] M.N. Lakhoua, Application of Functional Analysis on a SCADA system of a Thermal Power Plant, Advances in Electrical and Computer Engineering journal, Faculty of Electrical Engineering and Computer Science - Suceava, Romania, Vol. 9, No. 2, 2009, pp [2] J. Yoo, E. Jee and S. Cha, Formal Modeling and Verification of Safety-Critical Software, IEEE Software, IEEE Computer Society, 2009, pp [3] J.H. Kim, S.Y. Lee, Y.A. Ahn, J.H. Sim, J.S. Yang, N.Y. Lee and J.Y. Choi, Development of RTOS for PLC using formal methods, Lecture Notes in Computer Science, Springer-Verlag Berlin, Vol. 3299, 2004, pp [4] M. Zhou, F. He, M. Gu and X.Y. Song, Translation-based model checking for PLC programs, Proceedings of the IEEE 33 rd International Computer Software and Applications Conference, Seattle, USA, 2009, pp [5] T.L. Johnson, Improving automation software dependability: A role for formal methods?, Control Engineering Practice, Vol. 15, Issue 11, 2007, pp [6] S.R. Koo and P.H. Seong, Software design specification and analysis technique (SDSAT) for the development of safety-critical systems based on a programmable logic controller (PLC), Reliability Engineering & System Safety, Vol. 91, Issue 6, 2006, pp [7] J. Li, X. Dai, Z. Meng, J. Dou and X. Guan, Rapid design and reconfiguration of Petri net models for reconfigurable manufacturing cells with improved net rewriting systems and activity diagrams, Computers & Industrial Engineering, Vol. 57, Issue 4, 2009, pp [8] G. Music and D. Matko, An admissiblebehaviour-based analysis of the deadlock in Petri-net controllers, Simulation Modelling Practice and Theory, Vol. 16, Issue 8, 2008, pp [9] G. Frey, Design and Formal Analysis of Petri Net based Logic Control Algorithms, Dissertation University of Kaiserslautern, Aachen: Shaker Verlag, [10] J. Greifeneder and G. Frey, Reactivity Analysis of different Networked Automation System Architectures, Proceedings of the 13 th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA 2008), Hamburg, Germany, 2008, pp [11] A.A. Desrochers and R.Y. Al-Yaar, Applications of Petri Nets in Manufacturing Systems, IEEE Press, Piscataway, USA, [12] International Electrotechnical Commission, IEC Programmable Controllers, [13] E. I. Gergely, Automatic safety analysis of computer controlled plants using model checking, Analele Universităţii din Oradea, Fascicola Electrotehnică, Secţiunea Ştiinţa Calculatoarelor şi Sisteme de Control, Oradea, Romania, 2005, pp [14] Nina Amla, X. Du, A. Kuehlmann, R. P. Kurshan, K. L. McMillan, An Analysis of SAT- Based Model Checking Techniques in an th Industrial Environment, Proceedings of 13 Advanced Research Working Conference on Correct Hardware Design and Verification Methods CHARME'05, Saarbrucken, Germany, 2005, pp [15] Y. Hietter, J. M. Roussel, J. J. Lesage, Algebraic synthesis of dependable logic controllers, 17 th IFAC World Congress, Seoul, Korea, 2008, pp ISSN: ISBN: