Industrial Dependability of Systems: A Coordinated Approach

Industrial Dependability of Systems: A Coordinated Approach

Copyright © IFAC Information Control in Manufacturing, Nancy - Metz, France, 1998 INDUSTRIAL DEPENDABILITY OF SYSTEMS: A COORDINATED APPROACH J.-F. A...

2MB Sizes 0 Downloads 82 Views

Copyright © IFAC Information Control in Manufacturing, Nancy - Metz, France, 1998

INDUSTRIAL DEPENDABILITY OF SYSTEMS: A COORDINATED APPROACH J.-F. Aubry (1) - F. Simonot-Lion (2) (1) CRAN - INPL, (2) LORIA - INPL 2, Avenue de la Foret de Haye - F 54 516 Vandreuvre les Nancy [email protected], [email protected]

Abstract : The quality and dependability of products and of their automated production systems are obtained by the coordination of several experiences : the production system specialist, the control system specifier and the computer-based applications designer. In this context, the "Regional Council of Lorraine" is sponsoring a federative project which associates eight university research laboratories. The purpose of this paper is to present a part of these researches. Copyright © 1998 IFAC Keywords : Computer control system design, dependability, quality, diagnosis, fault tolerence.

1

The failure of production equipment or computer based control systems (hardware, software) can lead any industrial installations to run some critical risks. Usually, the design of products comes before the specification of their production process. And in many cases, this activity is followed by the implementation of additional processes in order to increase on the one hand, the quality of products and / or production and on the other hand the dependability of the whole system. This approach consists of a sequence of stages and obviously it is now obsolete ; frrst, it leads to a lack of ability to evolve and secondly it is difficult to verify a priori and fonnally that the imposed properties such as dependability or quality, are respected by the product or by its production system. The quality level of a product or of an industrial installation, and the evolution of its dependability are concepts which are measurable by proper methods. These measures independently done are not sufficient to complete evaluation of the properties of these concepts. Moreover the causes of failures obey mechanisms which are often not globaly identified. Therefore, the quality and the dependability of a whole system need both the implementation cl measurement techniques and of these particular mechanisms; and the design of any complex system is relevant to a global demarch and must integrate at every stage of the system's life cycle the points et

INTRODUCTION

This paper presents the reseach activities developed in the context of a "Federative Project" sponsored by the "Regional Council of Lorraine" and called "Industrial Dependability of Systems". This project associates university research laboratories* in the Lorraine Region. Two operations were selected for this project: • "Coordinated conception of dependable systems with quality requirements" • "Safety of storage, reactive and thennal processes". The first operation is reported here and only some aspects relative to the safe conception of control systems are presented.

*

The associated laboratories are: CRAN - Nancy - UPRES A 7039 LORlA - Nancy - UMR 7503 GREEN - Nancy - UPRES A 7037 LRGSI - Nancy - £4 1147 LASC - Metz LSGC - Nancy - UPR CNRS 6811 LEMTA - Nancy - UMR 7563 LPMM - Metz - UMR 7554

1041

view of dependability and quality. The main goal is therefore the coordination of all the experience and know-how that are involved in the design of a correct and optimal solution.

-

2.1. To make the instrumentation reliable and optimal

Most of the time, the dependability aspects of an industrial process are tackled in a late step of its development. Today, the conception of a system must be conducted in a global approach taking the dependability aspects into account as early as possible and at each step of its lifetime. We are interested here in the development of automated production systems. Within this vast problem, we will consider the two following aspects: the specification of the control system coordinated with the study of the process dependability in order to integrate failure recovering procedures, the development of the control system taking into account dependability and quality requirements.

2

The conception of the instrumentation system for the control and the supervision of an industrial process is very complex. Among the various problems, we are interested in the optimisation of the architecture eX the instrumentation system according to reliability and cost criteria. In a frrst step, the available infonnation is examined and classified in tenns of observability (Ragot, et aI., 1996). The concept of redundancy degree is introduced. The second step defines the optimal instrumentation structure to satisfy reliability and/or cost of the whole system. The research of the optimum takes into account the observability, the redundancy degree, the impossibility or the obligation for a variable to be measured (Maquin, et aI., 1996 ; Luong et aI., 1995 ; Luong, 1996).

THE COORDINATION OF A SAFE SPECIFICATION OF AN INDUSTRIAL PROCESS AND ITS CONTROL SYSTEM

We do not consider here safety relevant applications where the control loops and the safety loops have to be independant, as well for software as for hardware. We suppose that safety actions such as fault recovering, may be performed by the control system itself. So it is very important for the specialists in control systems and in the production process to cooperate during the specification phase. For both, this will lead to a substancial increase in the knowledge of the physical process. Indeed they have to search for precise models of the process behaviour in order to diagnose, control and make the industrial process dependable. This is a vast problem and we focus our interest only on a few points. Let us consider the following representation of an industrial automated process as illustrated in figure I.

Several aspects are developed, as for example the research of the necessary accuracy of sensors used fer the estimation with a given accuracy of other variables, the study of the sensitivity to parameters eX the system reliability, and the consideration eX simultaneous optimization criteria. These developments will be integrated on a software tool in the near future. 2.2. Produce a credible and fast diagnosis The diagnosis of a system is the consideration , knowledge and interpretation of information, in order to detect, locate, and identify failures in the working system. One of the problems is to generate failure indicators, the residues. They are relevant signals, sensitive to the failures of the system and we are interested in the robustness of the residue generation. Another problem is data validation by means eX comparison between sensor information and estimations starting from models. The robustness with regard to structure and parameter errors is also an interesting problem (Nuninger, et aI., 1996 ; Jean, et aI., 1996). The interaction in the equation set describing the system induces prohibitive calculus in terms of size and time. We tried to a find solution in the use of a sliding observation window or the singular systems fonnalism (Gaddouna, et aI., 1996a ; Gaddouna, et aI., 1996b). Fuzzy approach and pattern recognition may be used to increase the knowledge coming from analytical methods (Adjallah, et aI., 1996). Hybrid methods based on parametrical models and pattern recognition or neuronal approach are being evaluated in the context of a European Program.

hybrid dynamical system . .

feedback-control

superviSion and system -~ failure-recovering --4

industrial process

system

I

I

L.

l

.

diagnosis Instrumentatlor and ~ system detection system

I------~

L-...

how to make the diagnosis and detection system credible and faster, how to aid the specification of the feedback control and failure recovering system.

---'

figure 1 We propose to consider only the three following points: how to make the instrumentation system reliable and optimal,

1042

the specialist of control system and that of the specialist of the production system. Now it is the time to confront these specifications with the development process, that is to say the implementation of the functional blocs on a computer based system. Some aspects of the development problems will be presented in the next section.

2.3. Aid to the specification of the feedback control and failure recovering system Our research has developed in the field rf electromechanical systems whose main characteristics are to be hybrid systems with strong time constraints (Zanne, et aI., 1996). These systems are often kept in a few well known and safe working modes. However, many other working modes are possible and some of them may be hazardous. The commutation between two modes may be caused by the control system, by a failure rf the system or by an interaction with the environment. We recommend a preliminary analysis of the behaviour of the system in terms of working and failure, using the state graph formalism (Sawicki, 1994). It is then possible to establish the requirements of the control system, including the reconfiguration possibilities after failure occurrence (Sawicki, et aI., 1995). These requirements must be translated in a mathematical formalism, taking into account the hybrid aspect (interactions between continous behaviour and discrete events). Interpreted Petri nets are used for such a description, where transitions are associated with events and states with continuous operations. These Petri nets are built by a refinement method, in order to reduce the possible conception faults. After the fonnalization, the best way to validate the model is the synchronous simulation of the process behaviour and of the control system. At the moment, no satisfying software is able to achieve such a simulation. Some of them are being assessed, but they give only a partial answer to the problem.

3

THE DEVELOPMENT PROCESS OF DEPENDABLE DISTRIBUTED CONTROL SYSTEMS

The technological evolution of computer based components and the extension of the goals of control systems (control, supervision, maintenance, quality management, ... ) (Morel, et aI., 1994) lead to complex and sophisticated applications distributed on heterogeneous devices (computers, PLC, sensors, actuators, ... ) connected by means of different networks. Their development consists in elaborating an eligible system, that means a system with the required dependability properties, and moreover, in producing the best one according to one or several criteria (perfonnance, cost, ...). Furthermore the development process itself must respect cost constraints. As shown in the previous section, the specification of a control system is carried out disregarding the implementation and distribution pr9blems. At this step the Functional Architecture rf the application can be obtained. It models functions, data and control flows and some properties can be soon proven such as the correctness of the specification. But we must assume that at the integration step we will obtain a control system with the same properties. So the purpose of the next step, usually called "design step" (Simonot-Lion, et aI., 1995) is: • on the one hand, to specify the partitioning of the specified application (the Functional Architecture) into intercommunicating modules and the allocation of these modules to a Physical Architecture, e.g. computing assets and communication systems, • on the other hand, to prove that the result, (called below Operational Architecture), will respect the different constraints. For economic reasons, an efficient strategy is to do the verification of properties, as soon as possible before the actual implementation, on models rf Operational Architecture. So, the design step appears as a key activity in the development of dependable systems.

Before transmitting the specification of the diagnosis and control system to the development team, it may be interesting to split the whole application into a set of functional blocs that will constitute elementary software modules (Elmasri, et aI., 1996a). Usually, this task is considered as a step of the development process, as we will see in the next section. However, we think it would be better to do this in a cooperation between specification and development engineers, because criteria that may be used are sometimes dependant on control strategies and sometimes dependant on the architecture choices. For example, the dependability of a distributed control system may be significantly inceased by the validation of the data transmitted between processors. But the specification of a validation algorithm can not start before knowing the data to be validated. This one is only identified after the distribution choices on the selected architecture. To assess the method, it has been applied to the specification of the control of a set ri electromechanical converters (Elmasri, et aI., 1996b ; Elm asri, 1997).

The presented studies are situated in this context. Two characteristics of these systems are taken into account : frrst, the fact that they are distributed and secondly, the temporal properties that they must respect in order to assume their dependability. More precisely, the obtained results consist of definition and utilization of pertinent models of systems. The term "pertinent" means here well-suited for the verification of temporal properties and for the optimization of Operational Architecture

In the above part, we functionaly specifed an optimal instrumentation architecture, an on-line diagnostic activity and the control part of an hybrid dynamical system, starting from the models of the process to be automated. Two points of view are confronted: that of

1043

(dimensioning and configuration of Physical Architecture). Below we present two complementary results : a formalism for the modeling of communicating functions and their associated time constraints and two methods for the verification of properties which depend on time and communication. Finally, we show a methodology integrating the different results in order to assist the designer. 3.1

Specification of time cooperation models

constraints

The formal verification is applied to a model of an Operational Architecture in time Petri Net fonnalism. How to build this model is the purpose et (Toussaint, et aI., 1997). The above mentioned concepts of events and event occurences are translated into transitions and transition firing occurences on the time Petri Net model. From a time Petri Net, (Berthomieu and Diaz, 1991) has demonstrated how to obtain an oriented graph representing all the possible sequences of transition fIring (class graph). In (Toussaint, et aI., 1996), we demonstrate how to use these notions in order to verify the four kinds et properties presented in section 3.1. In fact two approaches can be used: • direct verification : the temporal properties are translated in properties on the class graph obtained from the model of Operational Architecture. For a given constraint (events occurrences and time intervals), the first property consists in the assertion that a set of paths in the graph is non empty ; each path of this set models a possible behaviour of the application and encloses adges representing the observed events occurrences. Then a second step ends the proof by calculating bounds of time intervals on each path of the previous identified set and by comparing them with the interval specified in the constraint. • overloading verification : we overload the Petri Net by a neutral observer (places and transitions). The verification is done by examining the marking of the class graph nodes or the firing et transitions. Depending on the kind of constraint to be taken into account, we apply the frrst and/or the second approach. For further infonnations, readers who are interested by these algorithms can refer to (Toussaint, et aI., 1996) and (Toussaint, et aI., 1997).

and

In order to specify time constraints to be respected by an Operational Architecture, we use a fonnalism based on explicit clock temporal logic (Ostroff: 1989) which can be linked to other fonnalisms as Time Petri Nets or Queuing Systems for example. Thanks to this fonnalism a classification of time constraints has been proposed. Based on the notions of event (Halang and Sacha, 1992) and event occurrence, it defmes four classes: • absolute constraints - the occurrence i of an event e must be in a given interval. Omin 5 d(eiJ ~ Omax • jitter constraints - constraints on the delay between two successive occurrences of an event L1min 5 d(ei+ 1) - d(eiJ 5 L1 max • causality constraints - constraint on the delay between occurrences of two events : cause and effect L1min 5 d(effetiJ - d(causeJ ~ L1max · • time coherence constraints - simultaneity between occurrences of several events V' e,f E E, (I d(eJ-d(jJ I) ~ L1 (Toussaint, et aI., 1996) By the study of how entities cooperate and exchange infonnation, two basic cooperation models have been identified the
The simulation approach implements evaluation of perfonnances depending on traffic generated by a given Operational Architecture. Namely, we evaluate the end-to-end message response time. The validation method is based on application models integrating the functional point of view (set of inter communicating and cooperating functions), the Physical Architecture aspects (especially, networks and protocols, connection of stations, ...) and a given mapping of functions onto this Physical Architecture. Assumptions are made on the power of processors at each station, on the availability of local resources and on the local scheduling strategies. Therefore, we assume that deadline constraints on tasks are met by each station. For a given application specification (in tenns of tasks and message flows), the fonnalism upon which our method is built is the timed statetransition systems. The simulation process produces then a list of all dated events.

Validation methods

For the validation of Operational Architecture two ways have been explored. The frrst one consists in model-checking performed on a Time Petri Net based model (Merlin, et aI., 1976 ; Berthomieu and Diaz, 1991 ; Toussaint, et aI., 1997). This way is critical when the number of places is growing. So the second approach is complementary to this one. The underlying fonnalism is the queuing system one and the validation is done thanks to simulation activities. These two approachs are implemented on similar applications in the context of an embedded system including a Can or a FIP network (Toussaint, et aI., 1997 ; Song, et aI., 1996 ; Song, et aI., 1995).

3.3

Methodology and workbench

On the one hand, analytical or simulation methods are complementary. On the other hand, the different models are complex and their building is a difficult activity for a designer. These two remarks have emphasized the need for a tool which brings help to this task. A frrst workbench (Toussaint, et

1044

aI., 1997) takes as input data a specification given in terms of cooperating functions, time constraints on events, networks and protocols, automatically builds the corresponding Time Petri Net and proceeds with the formal verification. Another tool, VACANS (Song, et aI., 1995), works in a similar way. Here, the input data is given in tenns of tasks (duration of their algorithm, characterized input data, output data and their control rules), Physical Architecture (number of stations, topology and characteristics of network) and for each station, the list of allocated tasks. Then models are built by VACANS. Note that, in this case, for CANbased applications and if the tasks are assumed to be periodic, another model is furnished by VACANS according to the analytical method presented in (Tindell and Bums, 1994). From these two models, the results are calculated (simulation or analysis) and after all, by mean of specific algorithms (filter, average value computation, maximum value collecting, ... ), the designer can obtain results in a way relevant for verification. Finally, an important point in design activity is the modeling of physical components used in Physical Architecture. We have previously introduced how networks are represented in the models proposed in this section. But, as shown in section 2, for the implementation of diagnosis and control functions, it is essential to take into account the instrumentation devices. That is why, in the presented project, a characterization of intelligent devices (sensors and actuators) is studied. We focus on interoperability and interworking properties. The concerned researchs (Galara, et aI., 1995) have leaded to a structuration of these devices according to a formal modeling of the interactions between physical process and computer based control system. The principal goal is to develop a standard in order to assist the designer fer integration of these essential components. 4

5

REFERENCES

Adjallah, K., G. Mourot, E. Tan, J. Ragot (1996) "Observateurs flous pour l'estimation d'etat robuste des systemes dynamiques" Rencontres francophones sur la logique floue et ses applications, LFA'96, Nancy, France, 4-5 decembre Berthomieu, B., Diaz, M., (1991) 'Modeling and Verification of Time Dependant Systems Using Time Petri Nets', IEEE Transactions on Software Engineering, 17(3), pp.259-273. Elmasri, A., P. Malleus, C. Zanne, J-F. Aubry (1996b) "Design and implementation of the control of a cycloconverter supplying an induction machine" - IEEE Conference on Control Applications CCA Dearborn USA sept 15 - 18 Elmasri, A., (1997) "Conception et realisation de la commande numerique rapprochee d'un convertisseur: application au cycloconvertisseur triphase" These de I'INPL, 10 avril Elmasri, A., P. Maleus, C. Zanne, J-F. Aubry (1996a) "Digital control cycloconverter system implementation, specification of the synchronization problem" CESA'96 lMACS Multiconference, symposium on control, optimization and supervision pp 605 - 609 Lille France 9-12 juillet Gaddouna, B., G. Schreier, J. Ragot (1996b) "Asymptotic observer for a nonlinear descriptor system" Symposium on Control, Optimization and Supervision, CESA'96, Lille, France, July 9-12 Gaddouna, B., S. Giulani, J. Ragot (1996a) "Design of observers for descriptor systems affected by unknown inputs". International Journal tt System Science, vol. 27, n° 5, p. 465-471 Galara D., Russo F., Morel G., lung B. (1995), 'Update on the european state of the art tt intelligent field devices', ISPE'95 Intelligent Systems in Process Engineering, Snowmass Village (Colorado). Halang, W.A., and K.M. Sacha, (1992) "Real-time Systems", World Scientific Publishing Co. Pte. Ltd. Jean, F., G. Mourot, J. Ragot (1996) ''New results in robust state estimation for stochastic parameter systems" Symposium on Modelling, Analysis and Simulation, CESA'96, Lille, France, July 9-12 Luong, M., (1996) "Conception optimale de I' architecture d' un systeme d' instrumentation sous contraintes de diagnostic, de fiabilite et de disponibilite". These de doctorat de 1'Institut National Polytechnique de Lorraine, 16 decembre Luong, M., D. Maquin, J. Ragot (1995) "Conception optimale d' un systeme d' instrumentation" Rapport de fin de contrat CRAN/SNEAP, mai (50 p.).

CONCLUSIONS AND FUTURE TRENDS

In this project, several laboratories have brought their approaches close together. These approaches are complementary in the conception process to give methodologies on the one hand for the specificat~on of the control, the diagnosis and the instrumentatIon systems and on the other hand for the design of an operational architecture of these systems keeping the imposed properties. Our determination to confront these approaches is permanent and our objective is synthesis, for example a best typology of the Automated Production Systems functions and the definition of generic architecture models. The continuation of this research will lead us to find continuity solutions for the development of these systems.

1045

Maquin, D., M. Luong, J. Ragot. (1996) "About the design of measurement systems and fault accommodation" Engineering Simulation, special issue on Engineering Diagnostics, G .E. Pukhov ed., vol. 13, p. 1009-1024 Merlin, P.M., Farber, D.J. (1976), 'Recoverability of

communication Protocols - Implications of a Theorical Study', IEEE transactions on Communications, 24(9), pp.l036-1043. Morel, G., lung B., Galara D., Russo F., (1994) "Prorotyping a sub-concept of Computer Integrated Manufacturing Engineering: The integrated Control, Maintenance and technical Management Systems", ISRAM'94, USA, august. Nuninger, W., F. Kratz, J. Ragot (1996) "Observers and redundancy equations generation fer systems with unknown inputs" Symposium on Modelling, Analysis and Simulation, CESA'96, Lille, France, July 9-12 Ostroff, J.S., (1989) "Temporal logic for real-time systems" . Advanced Software Development Series. Research Studies Press Limited (distributed by John Wiley and Sons). Ragot, J., M. Luong, D. Maquin (1996) "Observability of systems involving flows circulation". International Joumal of Mineral Processing, vol. 47, p. 125-140 Sawicki, JP., (1994) "Conception d'une commande de convertisseurs statiques integrant la slirete de fonctionnement application au defaut onduleur" These de doctorat de I'INPL, 28 octobre Sawicki, JP., C. Zanne, J.-F. Aubry (1995) "Inverting Mode Failure Recovering Application to the Drive of a Generator Supplied by a three Phase Thyristor Converter" 4th IEEE Conference on Control Applications pp.383-388, Albany USA-sept. Simonot-Lion, F., Thomesse J. P., Bayart M., Staroswiecki M., (1995) "Dependable Distributed Computer Control Systems: Analysis of the Design Step Activities", In

Proceedings of IFAC - DCCS'95, Toulouse Blagnac, France, september. Song, Y.Q., and F. Simonot-Lion and N. Navet (1996) "Validation of Distributed Real Time Systems thanks to Performance Evaluation of their Physical Architecture", in Proceedings IMACS-IEEE Multiconference CESA'96, Lille, juin. Song, Y.Q., F. Simonot-Lion and P. Belissent.VACANS (1995) - A Tool for the Validation of CAN-based Applications, 2nd IEEE International Workshop of Factory Communication Systems', J.-D. Decotignie (red), pp. 193-200. Thomesse, J.-P., Mammeri Z., Vega L. (1995),

'Time in Distributed Systems Cooperation and Communication Models', Proceedings 5th Workshop on Futur Trends of Distributed Computing Systems, IEEE Computer Society Press, Cheju Island, Korea. Tindell, K. and A. Bums, (1994) "Guaranteeing message latencies on control area network (CAN)", 1st international CAN conference, Maintz (Germany), September. Toussaint, 1., C. Philippe and F. Simonot-Lion.

(1997) A Model ofCan-Based Applications for the Verification of Temporal Properties. 3rd IFAC Symposium on Intelligent Components and Instruments for Control Applications, Red. L.Foulloy, pp.77-82, june 1997. Toussaint, J., Vega L., Simonot-Lion, (1996) "Formal Verification of Time Constrained Communications", Proceedings of ISCA International Conference on Parallel and Distributed Computing Systems, Dij on, september. Zanne, C., J-F. Aubry, C. lung (1996) "Modelisation of electromechanical processes as hybrid dynamical systems" CESA'96 lMACS Multiconference, symposium discrete events and manufacturing systems -pp 413-418 - Lille France - 9-12 juillet

1046