Computers &Chemical Engineering Computers and Chemical Engineering 24 (2000) 303-308 www.elsevier.com/locate/compchemeng
Design and verification
of the SFC program for sequential Control
Kazuhisa Fujino *, Kei Imafuku, Yuh Yamashita, Hirokazu Nishitani Nara Institute of Science and Technology 8916-5 Takayama, Ikoma, Nara 630-0101, Japan
Abstract A programmable controller (PC) programming technique using SFC (sequential function chart) has been adopted in sequential control system design because SFC can graphically represent the sequence flow of control logic. However, when we design an SFC program, we must verify the program with the design specifications. For this purpose, we can use scenario simulation and exhaustive simulation. In this paper, we propose to model both the controlled object and the SFC program by a Petri net for verification by both types of simulations. 0 2000 Elsevier Science Ltd. All rights reserved. Keywords: SFC program;
Verification;
Petri net; Simulation;
Model checking; -
1. Introduction Sequential control is one of the most important automation techniques for event-driven operations in the process industry. Previously, the controller in such systems had been implemented by the logic circuit using relays, and its control mechanism had been represented by the ladder diagram. Therefore, it had been used in the industry as a common language for sequential controllers. However, the ladder diagram cannot explicitly represent the sequential flow of control logic. Recently, the relay logic circuit has been replaced with programmable controllers (PCs) in many industrial applications. There are two types of programming languages for PCs, textual languages such as instruction list (IL) and structured text (ST); and graphical languages such as ladder diagram (LD) and function block diagram (FBD). The SFC (sequential function chart) programming method has been proposed and standardized as an appropriate PC programming technique (IEC, 1993). This method provides visualization of the sequential flow of control logic. SFC elements are defined for structuring the internal organization of PC programs and function blocks. Utilizing these elements, SFCs can be represented graphically or textually. A program
* Corresponding author. 0098-1354/00/$ - see front PII: SOO98-1354(00)00484-l
matter
0 2000 Elsevier
Science Ltd. All rights
Temporal
logic
organization unit is represented by a set of SFC elements. Configuration elements are also defined to support the installation of PC programs into PC systems. In addition, features are also defined to facilitate communication among PCs and other components of automated systems. Although theoretical construction methods of the sequential control mechanism have been vigorously studied, these methods are far from ready for practical application. Therefore, we need to verify the SFC program along with its design specifications and additional constraints. For program verification, we can use a simulation of the closed system combining the controlled object and the SFC program under a set of specified conditions; this is called scenario simulation. However, both sequential control programs and controlled objects generally have concurrent behavior, which results in a nondeterminism of the sequence of events. Therefore, this requires a huge number of scenarios. The other verification method is model checking in the state space under all assumed situations; this is called exhaustive simulation (Uchihira & Kawata, 1996). For both scenario and exhaustive simulation, we need a mathematical model of the combined closed system. In this study, we use the Petri net, which is a graphical and mathematical model for discrete event systems, to represent both the SFC program and the controlled object’s behavior. reserved.
K. Fujino et al. /Computers
304
and Chemical Engineering 24 (2000) 303-308
2. Characteristics of SFC Usually, an SFC network is represented by a set of steps and transitions interconnected by directed links. Steps and transitions are represented by rectangular boxes and horizontal lines across the vertical directed links, respectively, as shown in Fig. 1. In SFC element connections, the alternation between step/transition and transition/step must always be maintained. A set of actions is associated with each step and a transition condition is associated with each transition. Actions are declared via one or more of the mechanisms. Control of actions are expressed by action qualifiers such as N (non-stored), S (stored), R (overriding reset), and so on. A step represents a situation in which the behavior of an SFC program with respect to its inputs and outputs follows a set of rules defined by the associated actions of the step. A step is either active or inactive. At any given moment, the state of an SFC program is defined by the set of active steps and the values of its internal and output variables. A transition represents the condition whereby control passes from one or more steps preceding the transition to one or more successor steps along the corresponding directed links. The initial condition of an SFC network is characterized by the initial step which is in the active state upon initialization of the program. Evolutions of the active states of steps take place along the directed links when caused by the clearing of one or more transitions. A transition is enabled when all of the preceding steps, which are connected to the corresponding transition symbol by directed links, are active. The clearing of a
transition occurs when the transition is enabled and the associated transition condition is true. The clearing of a transition deactivates all of the immediately preceding steps connected to the corresponding transition symbol by directed links, and this is followed by the activation of all of the steps following immediately. The SFC program explicitly represents the execution order of program component units, which are written by LD, FBD, ST, IL and SFC. The advantage of this method is direct representation of the sequential flow of control logic. The SFC method allows us to design a sequential control mechanism in a hierarchical manner. When we design the sequential control mechanism for the controlled object, we first draw an outline of the sequence of control logic and then, later, go into details. Usually, we use a three-layer stepwise design composed of the conceptual, functional, and detail layers. Even if the design method is a superior one, we cannot skip program verification with the design specifications. We need to examine the system performances of the combined closed system of the controlled object and the SFC program.
3. Petri net model of sequential control system The Petri net model can describe the behavior of concurrent components that work asynchronously. We have developed a set of rules to transform the SFC program to the corresponding Petri net. We must also describe the controlled object by the Petri net. 3.1. Transformation from SFC program to Petri net
Fig. 1. Step and transition Table 1 Correspondence
between
in SFC method.
SFC and Petri net
SFC
Petri net
Step Transition Link Action Transition condition Active/inactive
Place Transition Arc Place Place Token
The SFC program is a model for describing the sequential control mechanism. The system state is defined by the set of active steps and the values of its internal and output variables. Events occur when the action of an active step is executed or when the next transition condition of an active step is satisfied. In the SFC program, the priority of competitive enabled-transitions is determined in the sequence selection. On the other hand, the Petri net is a directed bipartite graph with two types of nodes, places and transitions. The system state is defined by marking on the places. Tokens are used to represent marking. Events occur when a transition is enabled. Usually the priority of competitive transitions is not specified in the Petri net. We use an inhibitory arc with a small circle on the arrow tip to represent negation of a transition condition. The correspondence between the SFC elements and the Petri net components is summarized in Table 1. Using the relationship expressed in Table 1, sequence evolution in the SFC program is transformed into the corresponding Petri net. Actions with qualifiers, such as
305
K. Fujino et al. / Computers and Chemical Engineering 24 (2000) 303-308
$
$
Sl
+
t1
+
11
F+
2
d t1
s2
(a) Single sequence
A Sl
53
11
Y
S
(d-l)
2
Sl
t1
P
0
3
SSquenceS
Simultanecue
-rgen-
(d-2) Simultaneous requencw -convergence
$P +7+ h v ii?! v QD
(b) Sequence
with action
1
1
PO Sl
1
11
11
12
12
11
S
s2
Sl
II
s2
II
2
11
1
2
t
12
s2
12
P
14
53
2
S
4
13
14
S3
(e-2) Sequence selectIon
AP
-ecgence
(c) Sequence
loop
0 s4
Fig. 2. Transformation
N (non-stored), S (stored), and R (reset) are also transformed into the Petri net under reasonable assumptions. Fig. 2 illustrates the Petri net for typical sequence evolution, (a) single sequence; (b) sequence with action; (c) sequence loop; (d) simultaneous sequences; and (e) sequence selection. The Petri net obtained by transformation can be simplified by the place/transition unifying rule. 3.2. Petri net model of the environment For total sequential control system simulation, the behavior of the environment, which is composed of the controlled object and human operator, if one exists, must be represented by the Petri net. This is equivalent to open-loop model identification in the feedback control system design. The controlled object is composed of the objective process, measurement elements, and final control elements. We can build a Petri net model of the controlled object and the operator’s behavior by connecting all related places and transitions while taking the physical relationship into account. However, the controlled object and the human operator may not behave as expected. This is an important test item for maintaining safety in abnormal situations. Rapid Petri
of SFC to Petri net.
net modeling and automatic modeling of the environment are important subjects for future work.
4. Verification of sequential control system 4.1. Scenario simulation Once we build the Petri net model of the entire sequential control system, we can use a general Petri net simulator such as Visual Object Net + + for scenario simulation. The simulator provides the capability to put tokens at desired places at any time during simulation. A simulation can be repeated for a set of specified conditions, and its results are used for debugging the SFC program. Sometimes the SFC program is modified to cope with additional abnormal situations. However, verification by scenario simulation is limited to case studies. 4.2. Exhaustive simulation The model checking method using temporal logic is a systematic verification method. Computation tree logic (CTL) was developed for the specification and verifica-
K. Fujino et al. /Computers
306
and Chemical Engineering 24 (2000) 303-308
tion of concurrent systems. CTL enables us to construct formulas in which truth in a specified state depends on the conditions in the other states. Assertions for checking safety, reliability, and operability are represented in the CTL formulas. Once the CTL formulas are given, a certain model checking system determines whether each CTL formula is true with respect to the state space model. The system also shows counterevidence to locate a state that causes trouble and the path to the state if the formula is false. Table 2 Example of SMV input filea Module main VAR (definition of variables) Phboolean;.....; Pnboolean; INIT (definition of initial state) Pl = 1 & & Pn = 0 TRANS (definition of transitions) Tl_enable & Tl_after & Tl_unchange )
,
...
. .... .......................
Tm_enable & Tm_after & Tm_unchange 1 Deadlock & all-unchanged DEFINE (state space model) Ti_enable:= (condition of transition Ti) Pj = l/O 82 ...... Ti_after:= (places whose values are changed) Next (Pj) = l/O & .. .... Ti_unchange:= (places whose values are not changed) Next (Pk) = Pk & ...... Deadlock:= (!Tl-enable) & ........ & (!Tm_enable); all_unchange:= Next Pl = PI & .... & next Pn = Pn;
5. Jllustrative examples
a SPEC (assertions in CTL formula)
I
vooz
+
6 1 _:zl
* Cooling Water
1
,
(Level Switch)
I
_I_
Qi2w
TAO1 (Temp. Switch) _ _ -m
_Lg2
(Level Switch)
Outflow
voo3
- -Go- -
PBOl (Start Button)
- -Go-
-
PBOZ (Stop Button)
- -Go-
-
PB03 (Restart Button)
__oo--
Model checking methods such as CTL model checker by Clarke and SMV (symbolic model verifier) developed by McMillan were applied to the sequential control program verification written by the ladder diagram and sequence table (Moon, Powers, Burch & Clarke, 1992; Moon, Ko, Probst & Powers, 1997; Hiranaka & Nishitani, 1994). In the SMV, the state space model is represented by a binary decision diagram (BDD), which provides a compact representation of the state space model (McMillan, 1992). The SMV does not require a global state transition graph. The Petri net model can be represented by a matrix, which contains the connection between transitions and places. Therefore, the Petri net model is converted into the SMV input without difficulty. We have developed a program that can generate an input file to the SMV from the Petri net model. In the program, we define the structure of the Petri net in the matrix form. Table 2 shows an example of the SMV input file generated by the program. Consequently, we can easily use SMV for SFC program verification.
PB04 (Reset Sutton)
Fig. 3. Illustrative example: a cooling system.
Example 1. Cooling system A sequential control system for a cooling system is considered in this section. As shown in Fig. 3, liquid is fed to a tank to cool it down to the specified temperature. This cooling system has three valves for manual operation of liquid charging, liquid discharging, and cooling water flow. The liquid volume for one batch is fixed and measured by the upper and lower level switches. The liquid temperature is measured by a thermocouple but represented with a O-l variable of a switch. In this example, the controlled object is composed of three subsystems, tank; sensors; and valves. The state of the tank is defined by three Boolean variables, high; middle; and low. The state of each valve and each sensor is also defined by its own Boolean variable. Three tank states and an on-state for each valve and each switch are defined as places in the Petri net. A simplified Petri net model for the controlled object is shown in Fig. 4. By using the SFC programming method, we can design a sequential control mechanism in a hierarchical manner. Fig. 5 shows the conceptual layer design. After the functional layer design using the means-ends analysis, the detail layer design is obtained as the SFC program shown in Fig. 6. In this SFC program, sequences for exceptional handling operation are added to the normal standard operation. This SFC program was transformed into the Petri net with the transforma-
K. Fujino et al. /Computers
aoGE->opoy
OPEN+UOSE
and Chemical Engineering 24 (2000) 303-308
OFEN-SLCS
aos-stw
initial state and it disappears after the normal operation. We verify the following two assertions. 1. Both the buzzer and the lamp turn on whenever an abnormal condition is detected. 2. The lamp continues to be lit during an abnormal condition. These assertions are represented in the following CTL formula,
1
IA01 ONeOFF
I
b*lid
c-1
LA02 ON-+-OFF
Fig. 4. Petri net model of controlled object.
I
Initial Condition t Charging t Cooling
t
Discharging
Fig.
Fig. 6. Detail design of SFC program.
5. Conceptual design of control logic.
tion rules in Table 1. The Petri net model of the entire sequential control system for the cooling system was obtained by connecting the Petri net of the controlled object and that of the SFC program Fig. 7. Once this model is obtained, we can easily perform both scenario simulation and exhaustive simulation. We can put tokens at the corresponding places to the initial state. We can also put tokens to represent inputs from the environment if they exist. Therefore, we can simulate not only the normal operation, but also interruptions by the operator due to abnormal situations in charging, cooling, and discharging processes. Example 2. Alarm system Fig. 8 shows the SFC program of an alarm system to the operator under abnormal conditions. For simplicity, it is assumed that an abnormal state happens at the
307
Fig. 7. Petri net model of total sequential control system.
K. Fujino et al. /Computers
308
I
1
and Chemical Engineering 24 (2000) 303-308
I
,.,,,s,,.
+FcondkJ t2
push_button_Ol ON +
I
Recovering t3
t
I
not abnormal_condition& push_button_O2 ON R
Lamp
I
> A (lamp U (not abnormal_condition))) Nondeterminism of events is likely to happen in an environment composed of the controlled object and the operator’s behavior. When we made a Petri net model without nondeterminism, the SMV answered these assertions are true. But when we made a Petri net model in Fig. 9 by taking nondeterminism into consideration, the SMV answered these assertions are false. This happens from the nondeterminism of events between transition tl and the quick switching of a push button. We must exclude these cases by taking account of the dynamic property of the environment. We can modify simply the assertions in order to exclude the quick switching of a push button.
6. Conclusions Fig. 8. SFC program for an alarm system.
Scenario simulation and exhaustive simulation are useful techniques for SFC program verification. Petri net modeling of the SFC program and the controlled object was studied for both types of simulations. Transformation rules from the SFC program to the Petri net were developed for modeling support. A combination of rapid Petri net modeling of nondeteministic properties and automatic model checking promises to be a useful method for the design and verification of SFC programs with many exceptions that must be handled to cope with abnormal situations.
References Hiranaka, H., & Nishitani, H. (1994). Sequential control issues in the plant-wide control system. In Advanced control of chemical processes (ADCHEM’94) @p. 345-350). Oxford: Pergamon. IEC (International Electrotechnical Commission). (1993). Programmable controllers - part 3: programming languages (1st ed.) (pp. 1131- 1133), Geneva. McMillan, K. L. (1992). The SMV system draft. Carnegie-Mellon University. Moon, I., Powers, G. J., Burch, J. R., & Clarke, E. N. (1992). Automatic verification of sequential control systems using temporal logic. American Institute of Chemical Engineering Journal, 38, 67-15.
Fig. 9. Petri net model under nondeterminism
AG (abnormal_condition-AG (abnormal_condition--
of environment.
AF (buzzer & lamp)) > AF (lamp)) & (lamp--
>
Moon, I., Ko, D., Probst, S. T., & Powers, G. J. (1997). A symbolic model verifier for safe chemical process sequential control systems. Journal of Chemical Engineering Japan, 30, 13-22. Uchihira, N., & Kawata, H. (1996). Exhaustive simulation of discrete event systems. Journal of SICE, 35, 163-169.