Automated Verification for theAutomated Verification for theSoftware of Distributed ControlSoftware of Distributed Control

Systems:Systems: Possible Approaches Possible Approaches

Francesco SchiavoFrancesco SchiavoPolitecnico di MilanoPolitecnico di Milano

Dipartimento di Elettronica e InformazioneDipartimento di Elettronica e Informazione

2

Automated Verification for DCSAutomated Verification for DCS

nn ““VerificationVerification: are we building the product: are we building the productright?” right?” ((BohemBohem, 1979, 1979))

nn Verification involves checking that the softwareVerification involves checking that the softwareconforms to its specifications.conforms to its specifications.

nn We are looking for We are looking for formal methodsformal methods which allow which allowus to effectively prove properties about theus to effectively prove properties about thecontrol software.control software.

3

INDEXINDEX

nn Formal MethodsFormal Methods

nn Case StudyCase Studynn The PlantThe Plant

nn The Control SystemThe Control System

nn Verification Approach 1: Rules & EquationsVerification Approach 1: Rules & Equations

nn Verification Approach 2: Model CheckingVerification Approach 2: Model Checking

nn Research Results and Future DirectionsResearch Results and Future Directions

4

Are Formal Methods Profitable?Are Formal Methods Profitable?

nn DisadvantagesDisadvantages::nn Slowing down of the early development process.Slowing down of the early development process.nn Additional Software needed.Additional Software needed.nn Developers have to learn such methods .Developers have to learn such methods .

nn Advantages:Advantages:nn Development of a “design bug-free” software.Development of a “design bug-free” software.nn Shortening of the “time to market”.Shortening of the “time to market”.nn Better system reliability and maintainability.Better system reliability and maintainability.nn Both a better software and a cost reduction.Both a better software and a cost reduction.

5

Research AimsResearch Aims

nn Formal Methods that can Formal Methods that can prove prove properties of theproperties of thecontrol software (such as timing constraints, thecontrol software (such as timing constraints, thehappening of certain events as a response of somehappening of certain events as a response of someinput…).input…).

nn Tools to perform the verification, which can beTools to perform the verification, which can beused easily and are “used easily and are “user friendlyuser friendly”, but still highly”, but still highlyeffective.effective.

6

An Interesting Case StudyAn Interesting Case Study

nn Verification of the control software of a thermalVerification of the control software of a thermalpower plant: the power plant: the AquabaAquaba Plant (courtesy of ABB Plant (courtesy of ABBSaeSae SadelmiSadelmi).).

7

The The PlantPlant

RecirculationRecirculationValveValve

Level ValveLevel Valve

TankTank

L1-L2 L1-L2

MM

MM

MM

MMP1P1 P2P2

V1V1 V2V2

V1iV1i V2iV2i

F1F1 F2F2

P1-P2P1-P2

w1-w2w1-w2

Air Ejector LossAir Ejector Loss

Gland Steam LossGland Steam Loss

L. P. Heater LossL. P. Heater Loss

V4iV4iWaterWater

DeaeratorDeaerator

L.P. TurbineL.P. Turbine

CondCond Storage StorageTankTank

8

The Control SchemeThe Control Scheme

nn Logic ControlLogic Control

nn Modulating ControlModulating Control

PlantPlant

ModulatingModulatingControlControl

Logic ControlLogic Control

HMI InterfaceHMI Interface

9

The Modulating Control SchemeThe Modulating Control Scheme

Level Level MeasurementMeasurement

Pressure Pressure MeasurementMeasurement

Flow FlowMeasurementMeasurement

CONDENSATE HOT CONDENSATE HOT WELL LEVEL WELL LEVEL CONTROLLERCONTROLLER

CONDENSATE CONDENSATE EXTRACTION EXTRACTION PUMPS MINUMUM FLOWPUMPS MINUMUM FLOWCONTROLLERCONTROLLER

Level Valve Level Valve Stem PositionStem Position

Recirculation Valve Recirculation Valve Stem Position Stem Position

FeedforwardFeedforward SignalSignal

10

The LogicThe LogicControl SchemeControl Scheme

Group ControlGroup Control

Stand By SelectorStand By Selector

High L

evelH

igh Level

Sequence Control Sequence Control & Step (Branch 1)& Step (Branch 1)

Sequence Control Sequence Control & Step (Branch 2)& Step (Branch 2)

Middle L

evelM

iddle Level

Drive MotorDrive MotorValve 1Valve 1

Drive MotorDrive MotorValve 2Valve 2

Drive MotorDrive MotorPump 2Pump 2

Drive MotorDrive MotorPump 1Pump 1

Low

Level

Low

Level

FieldField

11

Logic Control: ArchitectureLogic Control: Architecture

nn Hierarchical Structure, three levels:Hierarchical Structure, three levels:ØØHigh LevelHigh Level (Group Control, Stand-By Selector): (Group Control, Stand-By Selector):

coordination and control of the two extraction branches.coordination and control of the two extraction branches.ØØMiddle Level (Sequence Control, Step Program): oneMiddle Level (Sequence Control, Step Program): one

independent control for each extraction branch.independent control for each extraction branch.ØØ Low Level – Drive Level (Valve Control, Pump Control):Low Level – Drive Level (Valve Control, Pump Control):

it effects the physical devices of the plant, open/close &it effects the physical devices of the plant, open/close &start/stop motorized valves and pumps.start/stop motorized valves and pumps.

nn Each Level Communicates with the level aboveEach Level Communicates with the level aboveand below and can receive feedback signals fromand below and can receive feedback signals fromthe plant.the plant.

12

The Logic Control SpecificationsThe Logic Control Specifications

nn Natural Language (NLS):Natural Language (NLS):nn Desired behavior expressed in natural languageDesired behavior expressed in natural language

nn Really simple and systematic.Really simple and systematic.

nn “Logical” nets:“Logical” nets:nn Classical logical gates.Classical logical gates.

nn Non-standard components (timeouts, rising/falling Non-standard components (timeouts, rising/fallingedge detectors).edge detectors).

13

A Verification Approach: FromA Verification Approach: FromNatural Language Specifications toNatural Language Specifications to

EquationsEquationsSpecificationsSpecifications

RulesRules

EquationsEquations

Software Software AnalysisAnalysis Properties to CheckProperties to Check

This Process Can Be This Process Can Be AutomatedAutomated

14

From Natural Language to RulesFrom Natural Language to Rules

nn NLS (neglecting the presence of timers):NLS (neglecting the presence of timers):nn Easily translated into a set of formal rules.Easily translated into a set of formal rules.

nn Formal RulesFormal Rulesnn Classical Classical booleanboolean operators (�, U, ¬, � , � ) operators (�, U, ¬, � , � )nn Binary variables.Binary variables.

nn Binary VariablesBinary Variablesnn Logical signals exchanged (inputs & outputs)Logical signals exchanged (inputs & outputs)nn Feedback signals from the field.Feedback signals from the field.nn Auxiliary variables (low number).Auxiliary variables (low number).

15

From Rules to Equations From Rules to Equations(Translation Scheme)(Translation Scheme)

n A A = 1

n ¬A 1 - A = 1

n A � B AB = 1

n A U B A + B - AB = 1

n A � B A(B - 1) + 1 = 1

n A � B 2AB - A - B + 1 = 1

16

Translation ExampleTranslation Example

nn Low Level, Valve/Pump Control: Priority LogicLow Level, Valve/Pump Control: Priority LogicSpecificationsSpecifications

nn NLSNLS “Automatic orders A0, A1 are active only if the “Automatic orders A0, A1 are active only if thedrive is in Automatic mode and Remote is not selected”drive is in Automatic mode and Remote is not selected”

nn Formal RuleFormal Rule (A0A � A1A)� (AUTO � ¬REM)(A0A � A1A)� (AUTO � ¬REM)

nn EquationEquation

2*A0A*A1A*AUTO-2*A0A*A1A*AUTO*REM-2*A0A*A1A*AUTO-2*A0A*A1A*AUTO*REM-A0A*A1A-AUTO+AUTO*REM=0A0A*A1A-AUTO+AUTO*REM=0

17

The Timer ComponentThe Timer Component

nn SchemeScheme

nn If IN holds for a period of time grater or equalIf IN holds for a period of time grater or equalto Td, then OUT goes to one. As soon as INto Td, then OUT goes to one. As soon as INgoes to zero, so does OUT.goes to zero, so does OUT.

ININ OUTOUTTdTd

TdTd

ININ

OUTOUT

timetime

1100

1100

18

The Timer ModelingThe Timer Modeling

nn Continuous Model (Equations and inequalities,Continuous Model (Equations and inequalities,continuous and binary variables)continuous and binary variables)nn Close to the real component functioning.Close to the real component functioning.nn Too complicated for useful analysis.Too complicated for useful analysis.

nn Discrete Model (One Integer parameter Discrete Model (One Integer parameter KdKd))nn OUT=IN*IN1*IN2*…IN(Kd-1)OUT=IN*IN1*IN2*…IN(Kd-1)nn Variables number explosion.Variables number explosion.

19

The Equations AnalysisThe Equations Analysis

nn Operational Research Software: AMPL plus, studentOperational Research Software: AMPL plus, studentedition v1.6.edition v1.6.

nn The equations are the constraints of an OperationalThe equations are the constraints of an OperationalResearch Program.Research Program.

nn The properties to be checked are expressed as theThe properties to be checked are expressed as theobjective function or as additional constraints.objective function or as additional constraints.

nn The software has major numerical limitation (our set ofThe software has major numerical limitation (our set ofequations leads to a nonlinear binary program or to aequations leads to a nonlinear binary program or to anonlinear mixed-integer program)nonlinear mixed-integer program)

20

Rules/Equations Based Approach:Rules/Equations Based Approach:Possibilities and DrawbacksPossibilities and Drawbacks

nn Easy Easy formalformal translation from specification into translation from specification intorules and from rules into equations.rules and from rules into equations.

nn The formal analysis deals with the possibleThe formal analysis deals with the possiblesolutions of a set of algebraic equations.solutions of a set of algebraic equations.

nn All the rules are processed “in parallel”.All the rules are processed “in parallel”.nn Difficulties in the modeling of someDifficulties in the modeling of some

components.components.nn Complex numerical analysis for the set ofComplex numerical analysis for the set of

equations.equations.

21

Rules/Equations Based Approach:Rules/Equations Based Approach:Results and Future DirectionsResults and Future Directions

nn Profitable approach: easy and fast passage fromProfitable approach: easy and fast passage frominformal specifications to formal rules.informal specifications to formal rules.

nn Modeling of nonstandard components (e.g. Timer)Modeling of nonstandard components (e.g. Timer)

nn Analysis of the nonlinear equations system (only smallAnalysis of the nonlinear equations system (only smallparts of the logic have been analyzed).parts of the logic have been analyzed).

nn Possible future improvementsPossible future improvementsnn New translation scheme (� linear system of inequalities)New translation scheme (� linear system of inequalities)

nn New algorithms for the nonlinear equations system analysisNew algorithms for the nonlinear equations system analysis

22

A Classic Verification Approach:A Classic Verification Approach:Model CheckingModel Checking

SpecificationsSpecifications

Software Software AnalysisAnalysis Properties to CheckProperties to Check

System ModelSystem Model

23

Model CheckingModel Checking

nn Formal analysis technique, it has been developed toFormal analysis technique, it has been developed toautomatically validate functional properties for softwareautomatically validate functional properties for softwareor hardware systems.or hardware systems.

nn Properties are specified using some sort of a temporalProperties are specified using some sort of a temporallogic or using automata.logic or using automata.

nn A model checker can evaluate the validity of theA model checker can evaluate the validity of thetemporal properties over the model.temporal properties over the model.

nn Model checking validation can be implemented as aModel checking validation can be implemented as apush-button process (returns a positive result or anpush-button process (returns a positive result or anerror trail).error trail).

24

The Software: SPIN and The Software: SPIN and PromelaPromela

nn SPIN (model checker)SPIN (model checker)nn accepts design specifications written in the verificationaccepts design specifications written in the verification

language PROMELA (a Process Meta Language)language PROMELA (a Process Meta Language)nn accepts correctness claims specified in the syntax of standardaccepts correctness claims specified in the syntax of standard

Linear Temporal Logic (LTL).Linear Temporal Logic (LTL).nn performs the analysis with optimized algorithms which areperforms the analysis with optimized algorithms which are

both memory/time saving and effectiveboth memory/time saving and effective

nn PromelaPromela (the input language for SPIN) (the input language for SPIN)nn C-like style, easy to understand and to useC-like style, easy to understand and to usenn Nondeterministic execution flow possibilities, support forNondeterministic execution flow possibilities, support for

processes concurrency.processes concurrency.

http://netlib.bell-labs.com/netlib/spin/whatispin.htmlhttp://netlib.bell-labs.com/netlib/spin/whatispin.html

25

The Tool StructureThe Tool StructureXSpinXSpin Front-End Front-End(TCL/TK code)(TCL/TK code)

PROMELA PROMELA ParserParser

LTL ParserLTL ParserAnd TranslatorAnd Translator

1. Syntax Error 1. Syntax Error ReportsReports

2. Interactive 2. Interactive SimulationSimulation

3. Verifier 3. Verifier GeneratorGenerator

Optimized ModelOptimized ModelCheckerChecker(ANSI C Code)(ANSI C Code)

ExecutableExecutableOn-The-FlyOn-The-FlyVerifierVerifier

Counter - Counter - ExamplesExamples

26

Logic Control Verification with SPINLogic Control Verification with SPIN

nn PromelaPromela program that models the Logic Control program that models the Logic Controlbehavior as described in the specifications (NLSbehavior as described in the specifications (NLSand Logic Nets)and Logic Nets)

nn SPINSPIN

nn Interactive/Automatic simulator.Interactive/Automatic simulator.

nn Checking of the entire state space againstChecking of the entire state space againstproperties expressed in LTL logic.properties expressed in LTL logic.

27

A Comparison Case:A Comparison Case:SPIN VS SPIN VS MatlabMatlab (1) (1)

nn Drive Level, Valve/Pump Control: PriorityDrive Level, Valve/Pump Control: PriorityLogic Specifications.Logic Specifications.

nn 30 binary variables (18 inputs, 2 outputs,30 binary variables (18 inputs, 2 outputs,10 auxiliary variables).10 auxiliary variables).

nn PromelaPromela program (property driven inputs program (property driven inputsgeneration).generation).

nn MatlabMatlab “equivalent” script (exhaustive “equivalent” script (exhaustiveinputs generation, 2inputs generation, 21818 cases). cases).

28

A Comparison Case:A Comparison Case:SPIN VS SPIN VS MatlabMatlab (2) (2)

nn Property checking trough an assertion on outputsProperty checking trough an assertion on outputsnn Spin: [ ] !(Open && Close)Spin: [ ] !(Open && Close)

nn MatlabMatlab: if (Open*Close==1) “error”: if (Open*Close==1) “error”

nn The property resulted satisfiedThe property resulted satisfiednn Spin analysis time � Spin analysis time � 8 seconds 8 seconds (5.2 MB of memory usage)(5.2 MB of memory usage)

nn MatlabMatlab analysis time � analysis time � 24 minutes24 minutes

(PC Pentium II 350, 384 MB ram, Windows 2000 Pro(PC Pentium II 350, 384 MB ram, Windows 2000 Pro

Spin version 3.4.9 – Spin version 3.4.9 – MatlabMatlab version 5.3) version 5.3)

nn Writing the two programs took about the same time.Writing the two programs took about the same time.

29

Model Checking Approach (SPIN):Model Checking Approach (SPIN):Possibilities and DrawbacksPossibilities and Drawbacks

nn Verification of a large number of properties (LTL formulae)Verification of a large number of properties (LTL formulae)nn “Pushbutton” method.“Pushbutton” method.nn Modular/Global verification.Modular/Global verification.nn Easy and meaningful modeling.Easy and meaningful modeling.nn PromelaPromela program close to the real implementation: good program close to the real implementation: good

prototype.prototype.nn “Intelligent” test cases (property-driven).“Intelligent” test cases (property-driven).nn Counterexample eventually generated. Counterexample eventually generated.nn Little numerical capabilities (No plant/control integratedLittle numerical capabilities (No plant/control integrated

verification possible)verification possible)nn “Dummy” models for the field“Dummy” models for the field

30

Model Checking Approach (SPIN):Model Checking Approach (SPIN):ResultsResults

nn Completed the analysis of the low-level, middle-Completed the analysis of the low-level, middle-level and high-level Logic Control, with formallevel and high-level Logic Control, with formalchecking of many properties, involvingchecking of many properties, involvingconsistency, correctness, safety and systemconsistency, correctness, safety and systemresponses to specified inputs.responses to specified inputs.

nn Currently performing the global analysis.Currently performing the global analysis.nn At present this method and this tool seem to be At present this method and this tool seem to be

a profitable choice for Logic Control formala profitable choice for Logic Control formalverification.verification.

31

Research Results and FutureResearch Results and FutureDirectionsDirections

nn Logic Control Verification (results)Logic Control Verification (results)nn Rule/Equations approach: very innovative and promising,Rule/Equations approach: very innovative and promising,

but still not ready to be used and with majors drawbacks.but still not ready to be used and with majors drawbacks.nn Model Checking approach: a single tool has been analyzed,Model Checking approach: a single tool has been analyzed,

with good results and interesting possibilities for industrywith good results and interesting possibilities for industryapplications.applications.

nn Logic Control Verification (work in progress)Logic Control Verification (work in progress)nn Use of Theorem Use of Theorem ProversProvers with the rules ( with the rules (HeerhugoHeerhugo))

nn Modulating Control Verification (work in progress)Modulating Control Verification (work in progress)nn Hybrid model for Plant and Control: analysis with specificHybrid model for Plant and Control: analysis with specific

tools (Checkmate)tools (Checkmate)

32

Essential BibliographyEssential Bibliography

nn A. A. BallarinoBallarino “ “VerificaVerifica FunzionaleFunzionale Del Software Del Software DiDi ControlloControllo DiDi Un Un ProcessoProcessoIndustrialeIndustriale TramiteTramite TecnicheTecniche BasateBasate Sulla Sulla SimulazioneSimulazione” (” (TesiTesi didi LaureaLaurea,,PolitecnicoPolitecnico didi MilanoMilano, 2001), 2001)

nn ABB ABB SaeSae SadelmiSadelmi “Control Specifications for the “Control Specifications for the AquabaAquaba Plant” (Various Plant” (VariousDocuments, 1996)Documents, 1996)

nn A. A. BenporadBenporad, M. , M. MorariMorari “Control of Systems Integrating Logic, Dynamics, “Control of Systems Integrating Logic, Dynamics,and Constraints” (and Constraints” (AutomaticaAutomatica, Vol. 35, No. 3, pp. 407--427, 1999), Vol. 35, No. 3, pp. 407--427, 1999)

nn R. R. BruniBruni, G. , G. FasanoFasano, G. , G. LiuzziLiuzzi “ “AppuntiAppunti sullasulla sintassisintassi e e suisui comandicomandi didi AMPL AMPLPlus v1.6” (Course Lab. Manual, 2001)Plus v1.6” (Course Lab. Manual, 2001)

nn G. Brat, K. G. Brat, K. HavelundHavelund, S. Park, W. , S. Park, W. VisserVisser “Model checking programs” (IEEE “Model checking programs” (IEEEInternational Conference on Automated Software Engineering , SeptemberInternational Conference on Automated Software Engineering , September2000)2000)

nn G. J G. J HoltzmannHoltzmann “The Model Checker Spin” (IEEE Transaction on Software “The Model Checker Spin” (IEEE Transaction on SoftwareEngineering, Vol. 23, No. 5, May 1997)Engineering, Vol. 23, No. 5, May 1997)

nn R. R. GerthGerth “Simple On-the-fly Automatic Verification of Linear Temporal “Simple On-the-fly Automatic Verification of Linear TemporalLogic”, (Proc. 15th Work. Protocol Specification, Testing, and Verification,Logic”, (Proc. 15th Work. Protocol Specification, Testing, and Verification,Warsaw, June 1995. North-Holland)Warsaw, June 1995. North-Holland)