Automated Verification for the Software of Distributed Control Systems: Possible Approaches

Transcription

1 Automated Verification for the Software of Distributed Control Systems: Possible Approaches Francesco Schiavo Politecnico di Milano Dipartimento di Elettronica e Informazione

2 Automated Verification for DCS Verification:: are we building the product right? (Bohem,, 1979) Verification involves checking that the software conforms to its specifications. We are looking for formal methods which allow us to effectively prove properties about the control software. 2

3 INDEX Formal Methods Case Study The Plant The Control System Verification Approach 1: Rules & Equations Verification Approach 2: Model Checking Research Results and Future Directions 3

4 Are Formal Methods Profitable? Disadvantages: Slowing down of the early development process. Additional Software needed. Developers have to learn such methods. Advantages: Development of a design bug-free software. Shortening of the time to market. Better system reliability and maintainability. Both a better software and a cost reduction. 4

5 Research Aims Formal Methods that can prove properties of the control software (such as timing constraints, the happening of certain events as a response of some input ). Tools to perform the verification, which can be used easily and are user friendly, but still highly effective. 5

6 An Interesting Case Study Verification of the control software of a thermal power plant: the Aquaba Plant (courtesy of ABB Sae Sadelmi). 6

7 The Plant V4i Water L1-L2 Tank V1i V2i F1 F2 Air Ejector Loss P1 V1 M M M M V2 P2 Recirculation Valve w1-w2 P1-P2 Gland Steam Loss L. P. Heater Loss L.P. Turbine Deaerator Level Valve Cond Storage Tank 7

8 The Control Scheme Logic Control Modulating Control HMI Interface Modulating Control Plant Logic Control 8

9 The Modulating Control Scheme Level Measurement Pressure Measurement Flow Measurement CONDENSATE HOT WELL LEVEL CONTROLLER Feedforward Signal CONDENSATE EXTRACTION PUMPS MINUMUM FLOW CONTROLLER Level Valve Stem Position Recirculation Valve Stem Position 9

10 Group Control Stand By Selector High Level The Logic Control Scheme Sequence Control & Step (Branch 1) Sequence Control & Step (Branch 2) Middle Level Drive Motor Valve 1 Drive Motor Pump 1 Drive Motor Valve 2 Drive Motor Pump 2 Low Level Field 10

11 Logic Control: Architecture Hierarchical Structure, three levels: High Level (Group Control, Stand-By Selector): coordination and control of the two extraction branches. Middle Level (Sequence Control, Step Program): one independent control for each extraction branch. Low Level Drive Level (Valve Control, Pump Control): it effects the physical devices of the plant, open/close & start/stop motorized valves and pumps. Each Level Communicates with the level above and below and can receive feedback signals from the plant. 11

12 The Logic Control Specifications Natural Language (NLS): Desired behavior expressed in natural language Really simple and systematic. Logical nets: Classical logical gates. Non-standard components (timeouts, rising/falling edge detectors). 12

13 A Verification Approach: From Natural Language Specifications to Specifications Equations Rules Equations This Process Can Be Automated Analysis Software Properties to Check 13

14 From Natural Language to Rules NLS (neglecting the presence of timers): Easily translated into a set of formal rules. Formal Rules Classical boolean operators (, U,,, ) Binary variables. Binary Variables Logical signals exchanged (inputs & outputs) Feedback signals from the field. Auxiliary variables (low number). 14

15 From Rules to Equations (Translation Scheme) A A = 1 A 1 - A = 1 A B AB = 1 A U B A + B - AB = 1 A B A(B - 1) + 1 = 1 A B 2AB - A - B + 1 = 1 15

16 Translation Example Low Level, Valve/Pump Control: Priority Logic Specifications NLS Automatic orders A0, A1 are active only if the drive is in Automatic mode and Remote is not selected Formal Rule (A0A A1A) (AUTO REM) Equation 2*A0A*A1A*AUTO-2*A0A*A1A*AUTO*REM- A0A*A1A-AUTO+AUTO*REM=0 16

17 The Timer Component Scheme IN Td OUT If IN holds for a period of time grater or equal to Td, then OUT goes to one. As soon as IN goes to zero, so does OUT IN OUT Td time 17

18 The Timer Modeling Continuous Model (Equations and inequalities, continuous and binary variables) Close to the real component functioning. Too complicated for useful analysis. Discrete Model (One Integer parameter Kd) OUT=IN*IN1*IN2* IN(Kd-1) Variables number explosion. 18

19 The Equations Analysis Operational Research Software: AMPL plus, student edition v1.6. The equations are the constraints of an Operational Research Program. The properties to be checked are expressed as the objective function or as additional constraints. The software has major numerical limitation (our set of equations leads to a nonlinear binary program or to a nonlinear mixed-integer program) 19

20 Rules/Equations Based Approach: Possibilities and Drawbacks Easy formal translation from specification into rules and from rules into equations. The formal analysis deals with the possible solutions of a set of algebraic equations. All the rules are processed in parallel. Difficulties in the modeling of some components. Complex numerical analysis for the set of equations. 20

21 Rules/Equations Based Approach: Results and Future Directions Profitable approach: easy and fast passage from informal specifications to formal rules. Modeling of nonstandard components (e.g. Timer) Analysis of the nonlinear equations system (only small parts of the logic have been analyzed). Possible future improvements New translation scheme ( linear system of inequalities) New algorithms for the nonlinear equations system analysis 21

22 A Classic Verification Approach: Model Checking Specifications System Model Analysis Software Properties to Check 22

23 Model Checking Formal analysis technique, it has been developed to automatically validate functional properties for software or hardware systems. Properties are specified using some sort of a temporal logic or using automata. A model checker can evaluate the validity of the temporal properties over the model. Model checking validation can be implemented as a push-button process (returns a positive result or an error trail). 23

24 The Software: SPIN and Promela SPIN (model checker) accepts design specifications written in the verification language PROMELA (a Process Meta Language) accepts correctness claims specified in the syntax of standard Linear Temporal Logic (LTL). performs the analysis with optimized algorithms which are both memory/time saving and effective Promela (the input language for SPIN) C-like style, easy to understand and to use Nondeterministic execution flow possibilities, support for processes concurrency. 24

25 The Tool Structure XSpin Front-End (TCL/TK code) PROMELA Parser LTL Parser And Translator 1. Syntax Error Reports 2. Interactive Simulation 3. Verifier Generator Optimized Model Checker (ANSI C Code) Counter - Examples Executable On-The-Fly Verifier 25

26 Logic Control Verification with SPIN Promela program that models the Logic Control behavior as described in the specifications (NLS and Logic Nets) SPIN Interactive/Automatic simulator. Checking of the entire state space against properties expressed in LTL logic. 26

27 A Comparison Case: SPIN VS Matlab (1) Drive Level, Valve/Pump Control: Priority Logic Specifications. 30 binary variables (18 inputs, 2 outputs, 10 auxiliary variables). Promela program (property driven inputs generation). Matlab equivalent script (exhaustive inputs generation, 2 18 cases). 27

28 A Comparison Case: SPIN VS Matlab (2) Property checking trough an assertion on outputs Spin: [ ]!(Open && Close) Matlab: : if (Open*Close==1) error The property resulted satisfied Spin analysis time 8 seconds (5.2 MB of memory usage) Matlab analysis time 24 minutes (PC Pentium II 350, 384 MB ram, Windows 2000 Pro Spin version Matlab version 5.3) Writing the two programs took about the same time. 28

29 Model Checking Approach (SPIN): Possibilities and Drawbacks Verification of a large number of properties (LTL formulae) Pushbutton method. Modular/Global verification. Easy and meaningful modeling. Promela program close to the real implementation: good prototype. Intelligent test cases (property-driven). Counterexample eventually generated. Little numerical capabilities (No plant/control integrated verification possible) Dummy models for the field 29

30 Model Checking Approach (SPIN): Results Completed the analysis of the low-level, middle- level and high-level Logic Control, with formal checking of many properties, involving consistency, correctness, safety and system responses to specified inputs. Currently performing the global analysis. At present this method and this tool seem to be a profitable choice for Logic Control formal verification. 30

31 Research Results and Future Directions Logic Control Verification (results) Rule/Equations approach: very innovative and promising, but still not ready to be used and with majors drawbacks. Model Checking approach: a single tool has been analyzed, with good results and interesting possibilities for industry applications. Logic Control Verification (work in progress) Use of Theorem Provers with the rules (Heerhugo( Heerhugo) Modulating Control Verification (work in progress) Hybrid model for Plant and Control: analysis with specific tools (Checkmate) 31

32 Essential Bibliography A. Ballarino Verifica Funzionale Del Software Di Controllo Di Un Processo Industriale Tramite Tecniche Basate Sulla Simulazione (Tesi( di Laurea, Politecnico di Milano,, 2001) ABB Sae Sadelmi Control Specifications for the Aquaba Plant (Various Documents, 1996) A. Benporad,, M. Morari Control of Systems Integrating Logic, Dynamics, and Constraints (Automatica( Automatica,, Vol. 35, No. 3, pp , 1999) R. Bruni,, G. Fasano,, G. Liuzzi Appunti sulla sintassi e sui comandi di AMPL Plus v1.6 (Course Lab. Manual, 2001) G. Brat, K. Havelund,, S. Park, W. Visser Model checking programs (IEEE International Conference on Automated Software Engineering, September 2000) G. J Holtzmann The Model Checker Spin (IEEE Transaction on Software Engineering, Vol. 23, No. 5, May 1997) R. Gerth Simple On-the-fly Automatic Verification of Linear Temporal Logic, (Proc. 15th Work. Protocol Specification, Testing, and Verification, Warsaw, June North-Holland) 32